County posts classified info
Thousands of internal, computerized records collected over 20 years at the Mesa County Sheriff’s Department were mistakenly made available on the Internet in April by an employee with the Mesa County Information Technology Department, authorities said Thursday.
Those records included names of confidential informants, home addresses for Sheriff’s Department employees and troves of personal information, amongst a host of other data.
The error wasn’t noticed, and the information wasn’t removed from potential worldwide view, until Nov. 24, according to Mesa County Sheriff Stan Hilkey.
Hilkey acknowledged Thursday that his department hasn’t determined the full scope of the apparent massive breach and has enlisted the help of the FBI to track down computer users who may have downloaded the sensitive information.
“It’s a significant event, which we’re trying our best to manage,” Hilkey said. “In some regards, we feel victimized as well.”
The sheriff added, “We have more than 200,000 name files (in the records-management system), but we don’t know if all of them went out.”
Hilkey said arrest narratives apparently were not included in the breach.
One of the exposed files, which was obtained by The Daily Sentinel, includes more than 1,000 pages of information from 2001 through this past spring, with names of confidential informants who worked with the Western Colorado Drug Task Force.
There were e-mails between officers about crime victims, suspected criminal activity and homicide investigations. Telephone numbers and addresses were associated with many of the named individuals.
“All of our employees’ personal information was in there,” Hilkey said of the exposed data, including addresses, home phone numbers, lists of family members and more.
“We have our own safety concerns,” he said.
Asked to quantify the data exposure, interim Mesa County Administrator Stefani Conley said, “It’s not small.”
“This is a very serious situation,” she said.
EMPLOYEE NO LONGER WITH COUNTY
The employee at the center of the breach is “no longer with the county,” Conley said.
She declined to name the employee.
The employee had been working in Mesa County’s Information Technology group on a project integrating computer databases between Grand Valley law-enforcement agencies, Hilkey said.
In April, authorities said the man had “parked” files from the sheriff’s records-management system on a county-run server that the man believed was secure: a “file transfer protocol site.” Hilkey said the files were kept at that location, which has its own Mesa County URL address, awaiting conversion to be compatible with the new law-enforcement database.
“This employee thought this was a password-protected, encrypted (web)site,” Conley said.
The trove of information remained there until Nov. 24, when Hilkey said an individual called authorities after finding his or her name mentioned in the files while searching the Internet. The site was taken down that same day, Hilkey said.
Initiating an investigation, Hilkey said the department determined exposed data was first accessed externally Oct. 30.
Hilkey said the data was accessed “multiple” times afterward; he declined to give a specific figure.
Hits on the data were from local computers, “some nationally, some internationally,” said Hilkey, noting some people achieved access from Europe.
“We’ve worked with Google Corporate Security to remove any information (still) in the system,” Hilkey said.
Similar efforts are under way with other search-engine providers, he said. How much of the information remains online is unknown.
Nor does Hilkey know the number of instances when the information was printed, saved to a computer’s hard drive or possibly attained by anyone with ill intent.
“The Internet possibilities are mind-boggling,” Hilkey said, later adding, “The irony for us is we’ve done an enormous amount of work with (Mesa County) IT on security. It’s mind-boggling to think this information made it to an unsecured site, but done by an employee who had legitimate access for legitimate work reasons.”
In the short term, Hilkey said the department has started a risk-assessment process.
Conley, meanwhile, said there is no indication internal data from other county departments were exposed.
Conley said Mesa County already is weighing potential legal liability and ramifications.
“We’re re-evaluating our IT protocols and will take the necessary steps to make sure something like this can never happen again,” she said.