The timing and location of the breach from June 2016 to November 2016 calls into question whether or not this was related to the FBI's more expanded investigation into state election systems reportedly hacked by Russian operatives during the 2016 election.
The Camden County Commission released a key document related to the network breach that temporarily shut down some government operations last year for several months and required necessary purchases for upgrades to software and hardware.
On Thursday, the Commission released a document from September 18, 2016, authored by former Information Technology (IT) contractor Reuben Chambers of RVC Data Recovery in Camdenton, that outlined the Commission’s response to the network breaches that had put some documents and files at risk to external and internal access.
Chambers was initially hired by the County Clerk’s Office in June of 2016 when he was contacted by the office regarding a file that was missing from one of the office computers. Over the next several months, Chambers, who is a mandatory reporter for government security breaches, discovered vulnerable back door entries to the County’s IT security systems and one that circumvented the firewall.
He was eventually hired by the Commission to administer and maintain the network, but was terminated several months later when a disagreement between him and Huber & Associates, which had also been contracted to work on the network, arose over access to certain parts of the hardware.
According to the document, on August 19, 2016, the Commission contacted RVC Data about a “malfunctioning piece of computer equipment.” Chambers visited the office and discovered “what sounded like a hard drive crashing.” The noise was coming from former Second District Commissioner Cliff Luber’s computer where an external hard drive was connected, according to the document.
Chambers told the Commission that he did not have access to unhook the hard drive and was also told by the Commissioner’s Administrative Assistant Donna Scheiter that her computer “was missing files and something odd was ‘marking’ the files on her disk drive.”
The files security and sharing abilities had been altered to allow full access to user “Cliff Luber,” though the Commission said they were unsure when these changes were made or who made them and have never been told by investigators.
According to the document, Presiding Commissioner Greg Hasty instructed Chambers to secure the computer and remove access from everyone except Scheiter. Chambers also inspected the computers of Hasty and First District Commissioner Bev Thomas and noted that those two also had been granted full and shared access. He removed access and remote access accordingly, the document states.
There was also concern from the Commission and Human Resources Department that controlled files had been exposed. Chambers visited the Human Resources Department in the courthouse and discovered that “all files were shared and accessible.”
“I noted that there was a lack of encryption on the laptop as required by HIPPA. I locked out access to the computer and remote access at the request of the Commissioners,” Chambers said, according to the document. “I informed the Commissioners (Bev and Greg) that they would need to encrypt the laptop soon.”
On Thursday, Hasty and Thomas confirmed that the County has not received any fines or citations from state or federal agencies for its previous security setup which since then has been dramatically upgraded. It’s still unclear what, if any, information was improperly accessed or stolen, but Thomas did state that she was told there was at least one external hacking attempt from Asia.
The Commissioners said they had “no idea” the state of disrepair the IT equipment was in with some main systems only having 30-days left to be upgraded and still be supported by technical maintenance.
“No time prior to that, nothing was said about the problems,” Hasty said. “It was horribly compromised. There was no request for funding (during my time in office).”
Thomas said she hadn’t been aware of any IT issues with software or hardware updates either in her position as Commissioner for over the last decade.
The document release and subsequent statements made by the Commission came during an agenda item described as a ratification of the software agreement per legal counsel, Camden County Attorney Charles McElyea.
Hasty said the reason the Commission didn’t start acting until August was due to the unknown scale of the breach, which was initially thought to have only affected the Clerk’s Office.
After the Commissioners were made aware of the breach, Hasty said the office “was just along for the ride” as they were receiving orders from attorneys and law enforcement investigators, including the Missouri State Highway Patrol Criminal Justice Information Service (CJIS).
Meetings and approved expenses for software upgrades and the purchase of additional servers, including a separate one for the Camden County Sheriff’s Office, have been estimated to be over $100,000, according to the documents obtained by the Lake Sun.
Hasty said these were done under the Sunshine Law provision that allows the Commission to act quickly in the event of an emergency without providing public notice or documentation of meeting minutes.
“There’s nothing I would change,” Hasty said about his decision making.
He said the director of CJIS, who analyzed the former security system, “laughed” about its abilities to properly secure the network.
“That was an embarrassment,” Hasty said. “But it’s part of the cost of doing business. Those upgrades were mandatory.”
The Commission said they still do not know who may have unlocked the computers when those events occurred and who was responsible. The Federal Bureau of Investigation has repeatedly declined to comment about the investigation as is standard practice for the agency.
However, the timing and location of the breach from June 2016 to November 2016 calls into question whether or not this was related to the FBI’s more expanded investigation into state election systems reportedly hacked by Russian operatives during the 2016 election.
In June of 2017, Bloomberg Politics reported that Russia’s cyberattack on the United States electoral system was far more widespread than initial reporting, “including incursions into voter databases and software systems in almost twice as many states as previously reported.”
The Bloomberg report, which relied on three people with knowledge of the investigation and a recently disclosed classified document made public by The Intercept, claimed that a total of 39 states had been hacked in 2016.
In September of 2017, the Associated Press, citing U.S. Department of Homeland Security officials, reported that a total of 21 states in the run-up to the election had attempted to be hacked.
The AP attempted to contact every state for confirmation of the attempted hacks with 16 states confirming the report, including Midwestern states like Illinois and Iowa and others like Colorado, Maryland, Oklahoma and Texas.
However, the State of Missouri has not publicly confirmed that any of its election systems were compromised in 2016.