On August 9th, 2016, Anderson County Law Director Jay Yeager notified county employees, elected officials and the media of what he called a “potential system-wide breach of [the] main courthouse server.” The memo that was distributed that day warned employees that their personal information may have been compromised and urged people to take action to protect themselves against identity theft.
The Anderson County Sheriff’s Department began investigating almost immediately, utilizing state and federal investigative resources as well.
Since that time, though, public updates on the status of the investigation have been few and far between. Updating County Commissioners in September of 2016, Finance Director Natalie Erb said that an audit performed by an IT consultant had shown that “the IT systems and operations that were in place were not secure. The information and data were left open and vulnerable to numerous risks. The controls and safeguards were inadequate and ineffective, and there was potential for fraud to occur.”
The report found that administrative and user passwords were weak and followed a known sequence. The analysis found that the firewall was not logging accurately and in fact were being overwritten every 24 hours, which erased the log-in trail.
The IT consultant performed a network audit of the Courthouse, which turned up a device commonly referred to as a “man-in-the-middle,” which in layman’s terms, intercepts emails and sends them not only to their intended destination but also makes a copy and sends that to an unknown, third-party location.
In February, 7th Judicial District Attorney General Dave Clark wrote in a response to a request for a status update on the investigation written by Erb, “the anxiety concerning any possible data loss or privacy invasion in this matter appears to disproportionate, regrettable and partially unfounded.” He says that this has “no doubt been fueled, in part, by public commentary that has been at times inflammatory or simply irresponsible.”
Clark said at the time that his office has no reason to believe that any personal or health data for any employees had been taken from the county computer system and that his office had not received any reports of identity theft or similar crimes connected to the breach.
Since the February letter, however, there has been very little said publicly about the status of the investigation.
WYSH has learned through sources that Clark told at least one County Commissioner within the last month that the investigation had been concluded by the Sheriff’s Department several months ago and that no evidence of a breach was found. WYSH was told at the time that an announcement would be forthcoming from the Sheriff’s Department about the status of the probe, but that announcement never came. WYSH has reached out to Clark for a comment, but he has been out of the office this week and had not yet responded.
While no one has gone on record, a source within the Sheriff’s Department says, however, that the investigation is ongoing, despite what has been said (or not said) publicly.
The Sheriff’s investigation has focused on whether or not a crime occurred, and if so, who committed it, and for what purpose.
One thing that everyone WYSH has spoken to about this story has agreed on has been Erb’s security assessment from September, namely that the system was not secure and therefore was vulnerable to a cyber attack. Sources have indicated that they cannot determine when the foreign device was attached to the server, nor what it’s purpose might have been or what, if any, information it may have collected and/or disseminated.
Since the breach was alleged, the county has spent some $400,000 on IT security upgrades and a dedicated, full-time IT specialist as well as on identity theft fraud protections for county employees.
WYSH is continuing to look into this story and will update you on the air and online as we are able. County Commission Chairman Tim Isbel will discuss this issue and preview Monday night’s County Commission meeting when he joins us in studio for Monday’s edition of “Ask Your Neighbor” at 10 am.
Below are links to our previous stories on the alleged security breach, in chronological order, from first to most recent.