UNLV cybersecurity director Greg Moody’s phone was blowing up after news broke of a massive August 24 cyberattack on the state of Nevada’s network. When the dust settled, the general consensus among his peers was that it was unprecedented in scope.

“Definitely, some cities have been attacked, but I haven’t been aware of any of this nature that has hit a state at this level,” Moody tells the Weekly. 

He says the state “responded appropriately” by closing offices and taking down websites and phone lines that “might be contaminated.” But that precautionary move ended up halting DMV services for nearly two weeks, while the online Medicaid application system remained down through September 12.

With systems now restored, many frustrated Nevadans are still wondering how it happened, as well as how the state can better prepare for future attempts.

To date, little is known about the attacker’s identity, motives, or the extent to which they gained access. But the state has confirmed that the breach was ransomware, a method through which hackers seize critical digital infrastructure like databases and threaten to sell or release private information if they’re not paid a hefty fee. A 17-year-old was recently arrested on charges related to a similar 2023 attack on MGM Resorts International and Caesars Entertainment. The attack on MGM impacted credit card transactions, the casino’s sports betting mobile app, and prevented digital access to guest rooms and some slot machine play. 

“It’s not like these hackers specifically targeted Nevada or MGM, per se. They were just trying different known attacks where, if something just wasn’t done right, they might get access—and it worked,” Moody says.

At a September 12 press conference, Gov. Joe Lombardo said the state had no evidence that Nevadans’ personal information was compromised. Throughout the recovery process—which included implementing statewide password resets and other “expanded” security measures—the state also saw a more than 300% increase in “direct attack attempts” on its network. 

In some ways, efforts to insulate the state from this threat were already well underway ahead of the incident. The Nevada Legislature has been gradually increasing its cybersecurity budget in recent sessions, while Lombardo’s administration unveiled a new Office of Information Security and Cyber Defense in July. Following the attack, Assembly Speaker Steve Yeager also announced his intent to form a new legislative group focused on cybersecurity.

“The state has been aware of the need to do more. It wasn’t that they just magically created that new office. It’s taken years of effort to move toward getting more resources and working toward those goals,” Moody says. 

Although Moody believes the state will “do better going forward,” keeping pace with an increasingly sophisticated network of anonymous hackers can be a tall order.

“If you think of it like a tree, all an attacker has to do is get inside one of the branches and they can eventually worm their way all the way down into the trunk. And as we get more advanced in our technological connectedness, there are more and more branches—or potential avenues for attack,” Moody says.

Cameron Call, an executive with the Valley-based IT firm Blue Paladin, offers some informed speculation on what may have caused the breach.

“This could have come in via a system that a state IT person just didn’t patch, but it could have also been some state employee who opened a malicious link in an email,” he says. “It’s really tricky, because you could have 300 ways into your network, and a successful attack just needs one.”

To help mitigate those possibilities, Mack Jackson Jr., founder of local tech consulting firm Vanderson Cyber Group, says the state can’t overlook “the human element.”

“It doesn’t matter how many millions of dollars they spend on cybersecurity. All it takes is just one individual to click on an email for the whole house of cards to fall,” Jackson says. “My recommendation would be to continually have cybersecurity awareness training for their employees so they can better understand and recognize the threat.”

Nevada in general is a somewhat unique case in the larger picture. According to the FBI’s 2024 Internet Crime Report, the Silver State ranks second behind only Washington, D.C., in the number of reported cybercrime losses per 100,000 citizens—at $8,225,617.

Moody is training tomorrow’s industry professionals to help offset that disparity. When his department launched its inaugural undergraduate cybersecurity program this semester, he was expecting to see 50 to 75 students enroll. The final tally was 280.

“Students are aware of this need, since I don’t think you can go a week now and not see some cybersecurity story in the news,” Moody says. “The first thing I tell students is that a good cybersecurity professional needs to be motivated to keep learning, adapting and trying new things—a jack-of-all-trades. And that’s really hard to train.” 

Despite the challenges, Moody says the increased interest bodes well for the future of the field. The hope is that many of his students find success without leaving the state.

In the meantime, should regular, everyday Nevadans be concerned about the state attack?

“What’s your individual risk like, specifically, with this breach? Probably not much,” Moody says. “I tell people to monitor their financial accounts. If those are staying in line, it’s unlikely that any of your information is being actively used to your disadvantage.”