Recent cyberattacks on public defenders’ offices in multiple Western US states have spotlighted the technological vulnerabilities of an often overlooked but critical part of the US judicial system.

Public defenders, who represent clients unable to pay for their own lawyers in cases as serious as murder, are a staple of American justice. Many of the offices, which are scattered across the country, house decades of digital client records at any given moment.

Cyberattacks on public defender offices in Arizona, New Mexico and Colorado have impacted thousands of case files, in some cases sabotaging those offices’ ability to defend their clients in a timely manner. 

There’s no indication the separate episodes were part of a coordinated effort by attackers, but security experts say they underscore the appeal of cash-strapped organisations sitting on troves of data.

"Hackers now hit organizations that are unlikely to pay, like public defenders, because the disruption alone creates pressure,” said Jon DiMaggio, chief security strategist at Virginia-based Analyst1. "Going after victims with little to offer shows just how indiscriminate and damaging these attacks have become.”

The Arizona Federal Public Defender’s Office is still reeling from a major hack seven months ago that hijacked its systems and wiped out access to decades’ worth of data.

Officials said the hackers stole and encrypted 60 years’ worth of client records and other internal documents used to defend people accused of crimes ranging from financial fraud to murder. 

The hack sent the office’s attorneys rushing to reconstruct case materials from other sources and prompted requests for delays in a death-penalty case inside the state and another in neighbouring Utah.

‘Catastrophic’ attack

The hack in Arizona was discovered in March and outlined in a court filing in early April. It led to a request for an extension in a capital case involving a man facing execution in Utah. The filing cited the cyberattack and said the office had no access to any of its files and needed more time to prepare a briefing. 

Just a few days earlier, nearly 200 employees of the Arizona Federal Public Defender’s Office had woken up to an urgent text message from their boss, Jon Sands, instructing them to immediately power off their computers and close them, according to people familiar with the matter. They were told the computer network had been encrypted by hackers and all of their files were being held for ransom in cryptocurrency, said the people, who asked not to be named discussing a confidential matter. 

After the initial alert, all employees were told to personally deliver or ship their electronic devices to the Phoenix office for security reviews and resets. A few weeks later, the federal court system offered employees in the Arizona office 12 months of credit monitoring, according to a letter sent to current and former staff that was viewed by Bloomberg. 

The office called in cybersecurity experts, the Justice Department and the Federal Bureau of Investigation to investigate and try to recoup the files, according to the letter.

In another case involving a death row inmate, Sands laid out more details. 

"While the network has been restored, it is a blank slate,” Sands wrote in June. He said in the case of the death row clients, the public defenders office "has lost decades worth of digital case files and work product that must now be reconstructed in every case. The vast majority of our clients’ life history records and our work product have been lost.” In a subsequent filing, Sands described the attack as "catastrophic.”

‘Data rubble’

Hackers deployed malware that corrupted the entire system, including the backup, turning key case files into "data rubble”, the office’s administrative officer William Sweet said in an email to Bloomberg.

The Arizona office declined to share details about the ransom demand or whether the state paid an extortion fee. No group has publicly claimed responsibility. Cyber researchers and analysts told Bloomberg they haven’t seen evidence the data was published online. 

While the network has been restored, the files remain encrypted and out of reach. The office has requested bids for a provider of data backup services.

"We are still in the process of assessing the breach and restoring data to the best of our ability to support the representation of our clients,” Sands said in an email to Bloomberg. "We have continued to represent them effectively and zealously.”

The Justice Department declined to comment. The FBI said it couldn’t respond during the federal government shutdown. A spokesperson with the Administrative Office of the US Courts acknowledged the attack and said the judiciary worked with cybersecurity experts and federal agencies to investigate the incident and mitigate any potential risks. 

New Mexico

The Arizona breach follows a cyber incident in the New Mexico state-level public defender’s office. The office said it’d been the "target of a significant cybersecurity breach, compromising the office’s ability to communicate with clients and criminal court partners and to access critical internal records,” in a July, 2024 statement.

Chief Public Defender Ben Baur said in a statement to Bloomberg that the office continues to work to improve security. 

"As public defenders, we work hard to help our clients and communities, with already strained resources,” Baur said. "Dealing with a cyber security incident made our work even more difficult.” His office declined to share whether there was a ransom demand or whether the state paid an extortion fee.

Security strategist DiMaggio pinned the incident on a ransomware group from Eastern Europe known as Rhysida. He said hackers asked for bids, starting at 10 Bitcoin, which at the time would have been worth just over US$650,000 (RM2.72mil). 

At least 1.5 terabytes of data from the breach have been dumped online, including death certificates, driver’s license suspension notices, and the names of inmates held in a county detention centre, DiMaggio said.

Separately, in February of 2024, "malware encryption” eliminated network access for the Colorado Office of the State Public Defender, according to a court notice. The office didn’t respond to requests for comment on the attack, whether there was a ransom demand or whether they paid a fee.

Federal courts

Meanwhile, Russian state-sponsored hackers were found lurking in the records systems of US courts, which contain federal court records, including district, appellate and bankruptcy courts, Bloomberg News has reported. Hackers had infiltrated the system years ago, gaining access to sensitive documents that were sealed from public view. 

It’s unclear exactly when the hackers first penetrated the system and when the courts became aware of the breach. The judiciary said in a statement in August that it was enhancing security for sensitive case documents in response to recent escalated cyberattacks and to block future attacks. 

Alexander Leslie, a senior adviser at cybersecurity firm Recorded Future, said that public-sector organisations like courts "face significant challenges” in girding against cyberattacks. 

"Implementing comprehensive backup and recovery systems takes time and sustained investment,” he said. – Bloomberg