Key Takeaways
- The St. George Fire Protection District sued its cybersecurity contractor, General Informatics, after a December 2023 breach exposed the district’s network to attackers.
- Hackers used “living off the land” tactics, leveraging legitimate Windows tools to move laterally, steal credentials, and prepare for a potential ransomware lockout.
- Law‑enforcement investigation revealed that General Informatics reused compromised remote‑access credentials across multiple clients, including another unnamed municipal agency that also relied on the firm.
- The breach exposed critical weaknesses: plain‑text administrative passwords, unlogged firewall activity, lack of network segmentation, and missing server backups despite contractual obligations.
- After the attack, the fire district had to rebuild its entire IT infrastructure at significant cost, while General Informatics billed the district for remediation work and its own legal fees and later sought arbitration to avoid litigation.
Background of the Lawsuit
On May 23, 2024, the St. George Fire Protection District filed a civil suit in Louisiana state court against General Informatics, a Baton Rouge‑based cybersecurity firm it had contracted to protect its IT environment. The suit alleges that the firm failed to prevent a security breach discovered in December 2023, which left the fire district’s network exposed to malicious actors. The plaintiffs seek compensatory damages for the costs incurred to restore operations, mitigate future risk, and address the alleged negligence of the service provider. The filing marks a rare instance where a public‑safety agency pursues legal action against its IT vendor for inadequate cybersecurity practices.
Nature of the Intrusion: “Living Off the Land”
According to the lawsuit, once inside the network the attackers employed a “living off the land” (LotL) approach, meaning they used legitimate, pre‑installed Windows utilities—such as PowerShell, WMIC, and built‑in admin tools—to evade detection by traditional antivirus solutions. By abusing these trusted processes, the intruders could escalate privileges, move laterally between systems, harvest credentials, install persistence mechanisms, and prepare for a future ransomware deployment without raising alarms. The suit quotes the plaintiffs’ attorneys, noting that LotL tactics enable adversaries to “steal or encrypt data, install malware, set backdoor access points, or otherwise advance the attack path.”
Potential Motives and Broader Threat Landscape
The fire district’s legal team suspects the attackers’ ultimate goal was to lock the agency out of its own systems, thereby disrupting emergency response capabilities until a ransom was paid. Moreover, because the compromised network served as a trusted conduit, the intruders could have used their foothold to pivot to other municipal or state agencies that share similar IT infrastructures or rely on the same vendor. Indeed, investigators discovered that the same threat actors had successfully breached another East Baton Rouge municipal entity responsible for computer‑aided dispatch (CAD) coordination between the parish and St. George, suggesting a broader campaign targeting local emergency‑services providers.
Law‑Enforcement Findings and Shared Vulnerabilities
Following the initial breach report on December 23, 2023, law‑enforcement agents examined the fire district’s servers and identified that its domain controllers—the core servers authenticating users and enforcing security policies—had been compromised. Control of a domain controller grants an attacker the ability to impersonate any user, access any network resource, and manipulate group policies. The investigators also uncovered that General Informatics had been using the same username and password for its remote‑access tool across all of its clients, a practice that persisted even after the firm was notified in November 2023 that those credentials had been exposed. This credential reuse created a single point of failure that allowed attackers to move from one client network to another with minimal effort.
Specific Security Deficiencies Exposed
The post‑incident review conducted by Louisiana Emergency Support Function —17 (a division of the Governor’s Office of Homeland Security and Environmental Protection) revealed a litany of avoidable shortcomings. Notably, investigators found a plain‑text note containing the fire district’s administrative credentials for various applications stored on a server, making password theft trivial. The network firewall was not logging traffic, eliminating a crucial audit trail for detecting anomalous behavior. Additionally, the flat network design lacked segmentation, meaning malware could propagate freely once a single system was infected. Perhaps most critically, General Informatics had failed to perform the contracted server backups, leaving the district with no recent restore points when the attack occurred.
Hardware and Service Missteps
Beyond credential and configuration errors, the lawsuit claims that General Informatics installed high‑speed fiber internet for the fire district at the district’s expense but then supplied network switches incapable of handling the increased bandwidth, creating a bottleneck and potential performance‑related vulnerabilities. The firm also allegedly neglected to implement any backup solution despite explicit contractual requirements, forcing the fire district to procure new servers, switches, domain controllers, firewalls, and backup systems from scratch after the breach. These actions—or lack thereof—undermined the district’s ability to maintain reliable, secure operations and contributed directly to the scale of the recovery effort.
Financial and Operational Aftermath
In the wake of the incident, the St. George Fire Protection District was compelled to rebuild its entire IT environment, incurring substantial capital expenditures for new hardware and software licenses, as well as operational costs associated with downtime and emergency response planning. The suit alleges that General Informatics subsequently billed the district for server remediation work and for the firm’s own attorneys’ fees, effectively seeking compensation for services that should have been covered under the original contract and for legal defense against claims of negligence. This post‑breach billing further strained the fire district’s budget and heightened concerns about the vendor’s accountability.
Arbitration Move and Current Status
Responding to the lawsuit, General Informatics filed a motion on May 18, 2024, seeking to compel arbitration under the dispute‑resolution clause embedded in its service agreement with the fire district. By pushing the case into arbitration, the vendor aims to avoid a public courtroom battle, limit discovery, and potentially cap its liability. As of the latest available information, the matter remains pending, with both parties preparing their respective arguments. The outcome could set a precedent for how municipalities and public‑safety agencies address cybersecurity failures by third‑party providers, especially when those failures threaten critical emergency‑services infrastructure.