Because outsourcing everything to the low bidder is perhaps not the best strategy in the 21st Century. NYPD Fingerprint Database Infected With Ransomware by Third Party Contractor.
So they outsourced the installation of some video equipment in a training location to a 3rd Party, who proceeded to plug an infected device into the NYPD network.
According to the New York Post, which first reported on the incident, the introduction of the malicious ransomware code was detected within a matter of hours. Still, even in that short period of time, the ransomware had proliferated to 23 other machines connected to the NYPD LiveScan fingerprint tracking system. At first, the NYPD thought the ransomware had been inserted maliciously, but after calling in the contractor and asking questions, the NYPD determined that the entire ransomware “attack” had been the result of simple negligence related to an infected device.
Near miss, I would say.
The size and scope of these ransomware attacks raises an interesting question: Why are hackers shifting their focus from corporations to public entities such as the NYPD? The easiest answer to that question is that these public sector entities cannot afford to be offline for more than a few hours at a time, and thus, are very amenable to paying a ransom.
CPO calls this a variation of the Supply Chain attack. If they attacked the contractor specifically, I could see that. But if it is just a contractor being careless, not so much.