The number of cybersecurity incidents affecting state and local government entities in Arkansas in fiscal 2023 was more than double the number reported in the previous 11 months, according to an Arkansas Legislative Audit report presented to lawmakers last week.
The report found that 130 cybersecurity incidents were reported to Legislative Audit from July 1, 2022, to June 30, 2023, at 75 public bodies across the state ranging from higher education institutions and public school districts to cities and state agencies.
The number is an increase from the 63 incidents reported from July 28, 2021, to June 30, 2022. Of the 130 reported cybersecurity incidents in fiscal 2023, 73 have been resolved and 57 remain under investigation.
The report defines a cybersecurity incident as "any event that compromises the security, confidentiality, or integrity of an entity's information systems, applications, data or networks."
"Cybersecurity threats facing Arkansas public entities are continuously evolving and increasing in number," legislative auditor David Coles, who presented the report to lawmakers on Thursday, said.
"As a result, it is imperative that the state continue its proactive approach to cybersecurity. Recognizing that cybersecurity incidents will inevitably occur, preparation is key to minimizing interruptions, protecting sensitive information and maintaining public and employee confidence in the safety and security of government networks."
Coles cited two specific cases of ransomware attacks, one against the Little Rock School District in December 2022 and another in November 2022 against Apprentice Information Systems, a vendor that provided computing services in most of the state's 75 counties. Coles said the attack against Apprentice Information Systems "halted most operations in those offices for multiple days, with some offices remaining offline for weeks [or] a few months."
The attack against the Little Rock School District led to the district paying a $250,000 ransom to hackers who broke into the district's internal data network.
Of the 130 reported incidents, school districts and higher education institutions were the top targets. As for the nine types of incidents listed in the report, fraudulent transactions, which made up 52 of the 130 incidents, were the most prevalent, followed by spam or phishing attacks and unauthorized access, both of which had 26 reported cases.
In recent sessions, the Legislature has passed legislation aimed at combating cyberattacks directed on public bodies. In the last regular session, the General Assembly approved a bill creating the Arkansas Cyber Response Board, which provides protection for school districts and municipalities targeted by cyber attacks. The law also defines a minimum standard of cybersecurity that bodies that participate in the program must adhere to.
Another law passed in the last session, Act 504, requires state agencies to adopt policies for technology use and cybersecurity.