THE VIRGINIA WATCHDOG
RETURN TO HOME PAGE
07/26/06 Investigation about SSNs on public computer's database in Hampton, VA has been concluded and determined not criminal, according to a press release issued by the Hampton Police Department this afternoon.
There is now a huge lump under a rug in Hampton, VA.
On July 11th, 2006, The Virginia Watchdog's founder, BJ Ostergren, alerted the Chief of Police and the Commonwealth's Attorney there about a computer database created by the city's Commissioner of the Revenue and the Treasurer which was wide open to anyone who used a certain publicly accessible computer sitting in a corner of the Circuit Court Clerk's office.
Hampton's Commonwealth's Attorney then recused herself from the case and got the Norfolk Commonwealth's Attorney, John R. "Jack" Doyle, III, to oversee this major breach since there are laws forbidding the disclosure of information gleaned from tax records or the payment of taxes.
The database used by many people in the Clerk's office everyday contained names, addresses, account numbers, and Social Security numbers of taxpayers who had paid personal property and real estate taxes - and some home phone numbers on a spread sheet-like format.
There was not one safeguard on that computer which was put in the Hampton Clerk's office in 2002 and was hooked up to the other two offices' computer system and, apparently, no one from any of the three offices bothered to check it periodically to see that it was still "secure" and that the Social Security numbers were protected.
The Circuit Court Clerk even knew her own SSN was in that computer's database which used a separate and different system (called COTT) to display the tax information, as she explained to the man who discovered the breach, but she did nothing to stop the public from accessing the information. She explained the difference in the two systems she uses in her office and when he raised concerns about the SSNs being available, she never bothered to ask the Treasurer or Commissioner about it. She just said it was public when it really was not.
She thought it was like the rest of the records she holds in her office like mortgage records, final divorce decrees, judgments, tax liens, child support enforcement liens, etc. that are loaded with Social Security numbers which are available to anyone who walks into her office now to look at them and which one day soon will be available to anyone who signs up to access the records from their home or office. It will literally make this present fiasco pale in comparison since the number of SSNs exposed in public records is far greater than the 100,000 exposed in this data breach.
Questions though are being asked about how Doyle - or the police investigators assigned to the case - could conclude an investigation in this matter without contacting the people who were involved in the reporting of this which has been labeled as the biggest data breach in Virginia history.
No one contacted the Daily Press reporter, Kimball Payne, according to Payne himself in a conversation this evening in which he read Ostergren the press release put out late this afternoon.
In that conversation, Payne told Ostergren he actually watched several others use that computer during two separate visits when he got into the database. When he and Albert Viera - the citizen who first complained to the Clerk about it and then contacted Ostergren - were there on the first visit so Payne could see the database for himself, there were many people lined up to use that database.
On a separate visit by himself, Payne said there was a line forming while he was on the computer and so he let them go ahead and use the computer as he watched them get into that unprotected database loaded with SSNs. No investigator nor Doyle contacted Payne and asked him anything about his experiences on that computer or asked how many others he personally saw using the same system.
And no one called or left a message for BJ Ostergren to hear what she had to say about her first hand knowledge of it or to hear how many people she personally witnessed the morning of July 10, 2006 get into the same database. And no one asked her how many people she personally witnessed who used that computer on the afternoon of July 10, 2006 on her second visit back there by herself. No one asked her whose records she had obtained or how many sheets of paper she printed out.
But the Norfolk Commonwealth's Attorney and the Hampton Police have concluded that no criminal activity took place. How could this be, many want to know.
This computer sat unprotected and no one bothered to check its security. That is - and was - criminal.
And the Circuit Court Clerk who told Viera about the two systems she had in her office was certainly negligent in her duties to check it since it was in her custody. But then again it was hooked to the Treasurer's office and the Commissioner's office, so they were negligent, too.
"Possible link" to confidential and protected information? There is no doubt there WAS a link to Social Security numbers, so why does the press release say possible link?
"Software code problem" that allowed access to confidential information? That's what the press release says it may have been.
The press release determined it was not "criminal" but certainly someone should resign over it for the sloppy, inefficient, and careless handling of those SSNs which is "the key" to people's lives.
If the police knew just whose records were seen by everyone who used that computer, they wouldn't be scrambling to get the information back from the "reporting parties." They don't know so a letter should be sent to everyone telling them of this screw up.
And now we know why there is a big lump under a rug in Hampton...
Written by BJ Ostergren, Founder of The Virginia Watchdog.
(c) 2003 Ostergren, P.C. (Page Format Only)