During the recent 2026 Property Records Industry Association (PRIA) Winter Symposium in Virginia Beach, Va., attendees received a comprehensive update from CSC Chief Information Security Officer Mark Eggleston in the “State of Cybersecurity” session, as well as a cautionary tale of what the worst-case scenario can look like.
Chad Montgomery, county recorder for Box Elder County in Utah, closed out the session by sharing details of how, in early August of 2025, his office lost every computer, every server, every backup system and all of its digital records simultaneously in one attack.
“The first notice of the ransomware attack came early Sunday morning, Aug. 3, as a pop-up window with information directing us to a website on the dark web. It asked us to negotiate for the return of our data and our information,” Montgomery said. “Later that morning, the elected officials and department leaders were told that we were dealing with a cyber security event and that we were asked to speak with our employees and let them know that Monday morning would not be a normal day. Within minutes of opening on Monday, outside partners, especially the title companies and others, began calling because nothing worked for them. They couldn’t get access to our online system. They couldn’t see any of their deeds or anything.”
Montgomery went on to describe the scope of the attack, which affected 400 computers, 30 servers, and five network storage systems. The attackers, his team later learned, had been in the county’s system undetected for four and a half months, mapping out systems, identifying backups and spreading the infection.
“When the attack, or the lockdown encryption, finally happened, (the hackers) encrypted not only the main systems, but also all of the off-site backups and everything we thought would keep us safe,” Montgomery said. “Within 72 hours of the initial attack, just over four terabytes of data was leaked onto the dark web, which was primarily the land records and the GIS (geographic information system) records. From an operational standpoint, everything stopped. In the recorder’s office, we had to move immediately to manual recording.”
Fortunately, Box Elder County had analog alternatives to fall back on, including preprinted labels, some handwritten logs and receipt books, as well as an improvised tracking system. However, the going was slow. What would normally take Montgomery’s team minutes to record or transact suddenly took up to half an hour.
“It felt like we were dropped back into the 1980s instantly overnight,” Montgomery said. “At the same time, the phones were ringing off the hook constantly. Every five to seven minutes, someone was calling to ask if we’re back up, when we’re going to get back up, what is an estimated time, and why haven’t they been told more? We couldn’t answer any of those questions.”
Recovery from the attack was grueling, Montgomery explained. Through long staff hours and cooperation with law enforcement, the county’s data was slowly reconstructed while operations continued at a snail’s pace.
“Every computer, every server had to be completely wiped, rebuilt, and all software reinstalled. Every thumb drive, every storage device was collected, scanned and cleaned of the ransomware software. Nothing was trusted. New hardware had to be bought. New credentials were created, and new security measures were put into place,” Montgomery said. “For weeks, the recorder’s office operated off of a single laptop that I purchased off of Amazon, a small printer, a small scanner and a mobile hotspot taped to the window so that I could get enough reception for us to function.”
Looking back on the incident, Montgomery shared some takeaways that boiled down to the critical axiom: readiness is everything. When plans are put in place to continue critical operations in spite of determined intrusion, recovery can be a much smoother process.
“So there are several lessons that we took away from this experience … the first thing is that no system is completely safe,” Montgomery said. “We thought our system was safe, but we also learned that backups were not enough.
“Second, cybersecurity events always take longer to resolve than people expect,” he added. “Third, having a manual contingency plan is not optional. It’s essential. Start pulling stuff together as soon as possible. And finally, recording jurisdictions need better continuity of operations planned, especially when it comes to accessing public records.”