Documents reveal how a massive ransomware attack crippled the Fort Bend County libraries system
RICHMOND, Texas (KTRK) -- 13 Investigates received documents that reveal just how massive a cyberattack on Fort Bend County libraries was and how systems could remain down for months.
'Biggest cyber event in Fort Bend County history'
In March, the Fort Bend County libraries said it was impacted by a cyber incident from February. Since then, the library director has provided only one other update with no information about exactly what happened.
ABC13 put in a records request looking for messages from the IT director, library director, and county judge connected to the incident. In April, the county asked the attorney general's office to block our request.
On June 10, the AG's office sided with ABC13 and instructed the county to give us everything we requested. It took two weeks of pushing before we received anything. So far, we've received nearly 3,000 pages that provide information about what happened.
IT Director Robyn Doughtie said in an email, "We are facing the biggest cyber event in Fort Bend County history." It wasn't just a cyber incident, but massive ransomware attack that Doughtie said compromised the entire library network.
She sent an email to Library Director Roosevelt Weeks in the days following the attack, saying, "The magnitude of this situation is clearly not understood. Everything in the library that was connected to the network is compromised. This is not a one-day fix, or even a one-month fix."
So far, the county has spent millions rebuilding the network. It's still not fixed. Computers remain dark, and patrons told ABC13 they can't renew library cards or search electronic catalogs.
Emails show a ransom note was found
Emails show the county IT department received a bulletin from the library department about the cyberattack on February 24. The cyberattack was discovered around noon, and library staff informed the IT department an hour and 40 minutes later.
The Texas Department of Information Resources got involved as well. In the documents ABC13 received, there's a report from the DIR detailing what happened.
The report states, "The incident also included a ransom note being posted on the library system with instructions to log-on into a private communications portal." It went on to say, "The ransom note claims that all files were encrypted and important data was copied to the operator's storage." The documents don't reveal how much the ransom was for."
The report, which was emailed two weeks following the attack, indicates the cyberattack wasn't reported to law enforcement. That's since changed, but it's unclear when law enforcement got involved.
The Fort Bend County District Attorney's Office is currently doing an investigation. Eyewitness News was told so far, no one has been charged.
Following the news of the incident, ABC13 asked if the FBI was involved, but county leaders wouldn't say.
Documents show the FBI is involved in the investigation. 13 Investigates reached out to the DIR to see if the county handled the response correctly.
A spokesperson sent ABC13 a response, "The Texas Department of Information Resources (DIR) takes our role in assisting other government organizations with their cybersecurity incidents very seriously and strives to protect information entrusted to us by organizations who have been impacted. We ask that you send questions involving the specifics of an attack directly to the entity about whom you are seeking information."
Assessment reveals troubling security issues the library had in place
Throughout the documents, Doughtie takes aim at the library IT staff. In one email, she said the county is facing this event "because of their lack of knowledge and poor management of the library technology infrastructure."
A risk assessment done in the days following the attack outlines issues the county IT department found. It found outdated operating systems, unsupported hardware, a lack of security monitoring, and publicly exposed servers and computers. The last point the report says was the highest risk and shows that all servers and computers were assigned state public IP addresses, meaning every system was directly accessible from the open internet, making them vulnerable to cyberattacks.
The library staff defended themselves. In an email, a library worker laid out how they've tried to get cybersecurity tools, saying, "The library has asked for tools, resources, and engineering hours in every budget submitted, only to be denied."
We shared the documents with San Jacinto College's cybersecurity senior director, Rizwan Virani. I think it's a very serious event," Virani explained. "I think there might have been just this technical debt, these years of non-compliance and non-intervention that snowballed and now there's so much to catch up on."
Years of issues that could be found in the emails. One email from the IT director shows that in November of 2021, the library was hit with a cryptomining malware.
The emails show employees couldn't access their email for days because of it. Following the incident, the county IT made several recommendations to the library IT staff. It's unknown if they were implemented.
Virani said if they were, it may have made a difference with the 2025 cyberattack. "Having routine maintenance completed, and having proper cyber security hygiene program in place and focusing on this would've certainly helped," Virani explained.
MISSING HARD DRIVES LEADS TO LIBRARY STAFFERS BEING PUT ON LEAVE
The county IT and library IT had separate departments. Following the attack, the county IT department assisted the library.
Emails from county IT workers revealed concerns they spotted at the library in the days following the attack. A manager said, "As we entered to inspect potential server drives for retrieval, we noticed that a few drives from two servers had already been removed. The servers, named Grogu and Yoda, were each missing one drive."
Doughtie sent an email to Weeks explaining the concerns she had about the library staffers' actions. In the email, she said, "My team was told by the library staff that hard drives were being removed and worked on to restore the data." She went on to say, "They have made numerous attempts and requests to upload files, which puts the FBC domain at risk."
The documents reveal following this visit, two library staffers were put on paid leave while the DA's office investigated. About a month later, the emails show they were cleared of any wrongdoing.
County leaders wanted to move seven library IT staffers to the county IT staff. However, the IT department raised concerns about one who works in the library IT department.
The report states, "She is not a good IT technician. The level of her knowledge is extremely limited, bordering on incompetence." By the end of the report, it says, "The main point to all of this is even if I did not already know or have come to realize during the incident her lack of capabilities, she would not make (it) through my interview process and I would not hire her off the street."
It's unclear what happened to the employee.
The library went international for help, as its services could be down for months longer
Weeks not only reached out to the county IT department for help. His emails show he went international.
Two years ago, the Toronto Public Library said it suffered a cyberattack. Weeks emailed the library and asked to meet with its leader in mid-May.
13 Investigates contacted the Toronto Public Library about the meeting. A spokesperson wouldn't make anyone available for an interview but sent us a report about the attack.
The last update on the Fort Bend County library website came from Weeks in April. If you visit the library locations today, some services are still down. The emails reveal it could be that way for months.
In early June, Weeks pleaded with county leaders to approve a new server contract, saying, "We have wasted almost 2 months on a contract we have had in had for at least that long. If we don't get this contract on next week's agenda, we are looking at services being restored to the public in September/October. This is too long for the system to be down for that long. Please, please, please let's do everything we can to get this on next week's agenda."
It wasn't added to the June 10 agenda. Instead, commissioners approved the $1.2M contract on June 24.
A lingering delay that's impacting library staff. In an anonymous email Weeks received from someone identified as a library worker, they said, "We received no guidance on what to tell patrons. I think most of us just went with 'the system is down' and 'cybersecurity incident.' About half the patrons accept this, another quarter will ask a bunch of questions and get upset when I do not have any answers, and another quarter will just berate us."
Because of the lack of communication and upset patrons, the staffer said it's caused them to go into a back office and cry. It's frustrating to some parents we talked to as well.
Janise Cookston said she uses the library to help homeschool her five children. However, since February, educating her kids hasn't been the same.
"I can go and physically search the shelves of my branch, but I'm finding maybe a tenth of the books I need, and it's taking me hours to search for them, whereas it used to just take minutes because I could type it in," Cookston explained.
Cookston said she can't understand why she may have to wait three more months until services are restored. "That's bananas and that's unacceptable," Cookston said. "There would (be) riots in the street if that was any other county service."
Emails reveal what happened, but library leaders still refuse to answer questions
Since the attack was revealed in March, ABC13 has requested numerous times to interview Weeks. Each time, he's declined.
On Tuesday, ABC13 showed up at his office. The library communications person told us Weeks was in the building, but wouldn't meet with us because he was busy following a return trip from a conference.
Hours later, Eyewitness News received an email from Weeks saying, "I don't have anything else to add to my last statement, but will have an update for the public soon. Thanks."
While ABC13 received more than 600 emails from Weeks, there were none from him in the two weeks following the attack. ABC13 requested documents with keywords including cyberattack, network, and ransom.
Eyewitness News asked the county IT department if more records were coming. They said they pulled emails we requested, sent them to Weeks to review, and that's what was sent back to send to us.
ABC13 also requested Judge KP George's records tied to the cyberattack. To date, we haven't received any. We also requested text messages from those three county leaders, but so far we've only received emails.
For updates on this story, follow Nick Natario on Facebook, X and Instagram.
