City officials have confirmed they detected what they're calling a "limited breach" on a system that supports Baltimore's 911 emergency services. According to The Baltimore Sun, city personnel detected the intrusion at 08:30 local time on 25 March. The quickly determined that unknown attackers had hacked into the municipality's computer-aided dispatch (CAD) system. This type of network is responsible for displaying 911 callers' location data on mapping systems, streamlining the process of connecting callers with the closest emergency responders and sometimes logging information for records. As such, bad actors can abuse it to potentially steal some medical information and access mapping systems, assets which Baltimore and other cities need in the event of a city-wide emergency. Upon detection of the incident, employees of the city "temporarily transitioned [Baltimore's 911 and 311 systems] into manual mode." Frank Johnson, chief information officer in the Mayor’s Office of Information Technology, provided The Baltimore Sun with more about this response:
This effectively means that instead of details of incoming callers seeking emergency support being relayed to dispatchers electronically, they were relayed by call center support staff manually.
That is, dispatchers took callers' locations manually without any means to verify those details.
A computer-aided dispatch system. (Source: Wikipedia) The CAD system was offline for a total of 17 hours. During that time, Baltimore personnel identified the affected server and disconnected it from the city network, thereby remediating the breach. They then fully restored the system at around 02:00 on 26 March. Baltimore Police Commissioner Darryl De Sousa said the incident did not disrupt his officers' ability to respond to emergency callers throughout the city. At this time, the office of Mayor Catherine Pugh has declined to provide details on what types of information the unknown attackers might have stolen and what their identities might be, explaining that the intrusion is under "active investigation." News of this limited breach comes amid increased reports of digital attackers targeting government entities. In March, Colorado's Department of Transportation (CDOT) suffered its second attack from the SamSam ransomware family. That threat is believed to have affected customer-facing applications hosted by Atlanta's government a few weeks later.