Nervous about hackers? Here’s what to do after a data breach
Hackers stole more than $515,000 from the city of Fort Worth and employees with criminal convictions were allowed access to a confidential FBI criminal database, according to a lawsuit filed Wednesday by a former IT manager against the city.
William Birchett alleges that he was fired in February in retaliation for reporting to officials that the city’s cybersecurity had been severely compromised, including that the city had lied about its compliance with FBI crime database regulations, and had left city employees’ medical and personal information accessible to anyone with internet access.
The lawsuit states Birchett reported his findings and a proposal to fix the issues to Kevin Gunn, the city’s acting chief financial officer, and Roger Wright, the city’s acting chief technology officer, but to no avail.
“Gunn and Wright rejected Birchett’s remediation proposal in part because the expense would have required approval from the City Council and would entail public disclosure of the deficiencies, bad public relations, and accountability questions as to how and why the City’s cybersecurity was 90% non-compliant,” the lawsuit alleges.
When Gunn and Wright would not heed his warnings of non-compliance, Birchett reported the security breaches to law enforcement agencies, including the Texas Department of Public Safety and Fort Worth police, the lawsuit states. In retaliation, he was placed on administrative leave and ultimately fired in February, the suit states.
He is seeking more than a $1 million in relief and damages in the whistleblower lawsuit.
In an emailed statement sent Thursday by city spokeswoman Michelle Gutt, the city responded that while it does not typically comment on pending litigation, “we want to assure the public and our employees that the City takes data security very seriously.”
“Like all large organizations, constant vigilance and new tactics are necessary to prevent and respond to data breaches,” the statement reads. “The lawsuit involves an employee who was responsible for data security and was terminated for failure to follow management directions and do the things reasonably necessary to get us in compliance. The City is in compliance with all Federal regulations and is in line with industry practice for these protection measures.”
The lawsuit, filed in Dallas County, also claims that Mayor Betsy Price and the City Council were made aware of at least some of the breaches but chose not to notify affected individuals.
Councilman Dennis Shingleton said council members had been briefed on the allegations during executive session, which is not open to the public. He said he didn’t know why the matter wasn’t made public, but it’s not the practice of the council to discuss executive session matters publicly.
“That’s not our call on whether it goes public or not,” he said. “That’s based on what legal action may be required.”
Birchett’s attorney, Stephen Kennedy, said though he has represented large companies like Texas Instruments, Phillips Petroleum and Schneider Electric in intellectual property disputes over the past 30 years since graduating from law school, he’s from a small blue-collar town in Ohio where kids grew up to work in auto factories or farming.
“This case allows me to return to my roots, and represent a man who was just trying to do his job, and got fired for doing what he believed to be the right thing,” Kennedy said. “It is my honor to represent William Birchett and I will defend him with the same level of vigor that I previously represented corporate America.”
The lawsuit states Birchett began discovering the violations and deficiencies within a few weeks of being hired as senior information technology solutions manager in May 2017. He concluded the city was 90% non-compliant compared to industry standards.
Among the discoveries he reported to supervisors, according to the lawsuit:
▪ Because the city did not safeguard financial data, hackers diverted more than $515,000 from city accounts to offshore accounts.
▪ City employee names, birth dates, Social Security numbers, addresses and health insurance claims and benefits were available on an insecure city server accessible to anyone with internet access.
▪ Employees with disqualifying criminal histories were allowed access to confidential Criminal Justice Information Services, or CJIS, data. The Criminal Justice Information Services Division is a federally maintained centralized database that law enforcement agencies use to share data and information. It includes tools commonly used by law enforcement such as databases for fingerprint identification and national criminal background checks.
▪ The city misrepresented to the Texas Department of Public Safety in 2015, 2016 and 2017 that the city met all of the Criminal Justice Information Service requirements when it did not. DPS is responsible for auditing law enforcement agencies to ensure compliance with CJIS policies and regulations.
According to the lawsuit, Birchett told the truth when he completed a DPS questionnaire in late 2018, reporting that the city did not meet CJIS requirements in numerous areas. Had the city been found non-compliant, the police would have lost access to information shared among law enforcement agencies, including warrants, stolen vehicles and missing persons.
Among the most egregious violation, the lawsuit states, is that the city knowingly and deliberately allowed CJIS access to employees who were either permanently or temporarily disqualified because of misdemeanor or felony arrests. The suit includes as an example the names of eight employees who should not have had access.
“When Birchett initially reported the unauthorized access to the City, CJIS access permissions were initially removed and the disqualified employees were physically moved such that they did not have access to CJIS computers,” the lawsuit states.
But less than six months later, the suit alleges, access was restored for two of the employees.
Birchett reported it again, the lawsuit states, and the two employees’ permission was again removed.
One of the employees, however, still retained access because of so-called “nested permission groups.” Birchett presented a plan to supervisors to remove such unauthorized group access but it was rejected by Gunn and Wright.
By doing so, the city intentionally violated and continues to violate U.S. law, the suit states.
The city’s response
In its statement, the city acknowledged being “the victim of fraud in late 2017 when, due to human error, a vendor payment was redirected to a bad actor. Since that time, an arrest has been made in the case and additional safeguards have been implemented to ensure banking information updates are properly reviewed.”
Tarrant County court records show Gbenga A. Fadipe, 48, was indicted in June with theft of property greater than $300,000.
According to the indictment, Fadipe, of Richmond, is accused of stealing the money from the city in a scheme that ran from October 2017 until January 2018. That case is still pending.
In the fall of 2018, the statement reads, “the City addressed an employee data concern with a third-party benefit partner which was immediately resolved by the vendor with additional authentication requirements.”
The statement says that the CJIS audit was successfully concluded with the Department of Public Safety this spring “in spite of the misinformation presented by the plaintiff (Birchett) to both the DPS and the Police Department.”
Alleged attempts to silence
The lawsuit states Gunn, on behalf of the city, tried to silence Birchett by sending a Nov. 20 email to Birchett and other members of the cybersecurity team. The email ordered that they seek prior authorization before sharing information concerning security issues to anyone outside the IT department, including materials for audits.
The lawsuit alleges the email was partly intended to prevent Birchett from blowing the whistle to DPS regarding the city’s non-compliance with numerous CJIS regulations.
“Gunn’s email, however, came a day late,” the lawsuit states, adding Birchett had already reported the CJIS violations a day earlier.
In a Dec. 20 memo attached to the lawsuit, Police Chief Joel Fitzgerald expressed concerns to city managers regarding Gunn’s directive that Birchett not communicate with the police department without prior approval and warns “the FBI may interpret it as a means to circumvent CJIS rules by silencing [Birchett].”
But the lawsuit states Birchett would not be silenced and that he continually reported to Gunn, Wright and Fitzgerald that the city was not in compliance with numerous CJIS regulations. He also reported it in a Dec. 19 meeting that included city, DPS and Fort Worth police representatives.
Fitzgerald’s memo stated the DPS CJIS compliance auditor had interrupted the most recent audit in December and called a meeting with the chief and Fort Worth police staff after finding non-compliance in areas that he had been told in previous years had been addressed. The auditor told those at the meeting the city “acted unprofessionally and irresponsibly; advising FWPD that (we were) lucky there has not been a security breach,” the chief’s memo states.
If a break occurred, the auditor had said in the meeting, “once it went public that the City of Fort Worth knew the network was not protected and intentionally had not rectified it, it could quite possibly bankrupt the City,” according to the chief’s memo.
Because of the auditor’s finding, the chief’s memo states, Fort Worth police were prohibited from installing additional computers and terminals with CJIS access, deploying additional electronic ticket devices, and were unable to move forward with critical infrastructure projects. It is unclear if those prohibitions remain in effect.
“It is my duty to inform you that if this problem is not corrected it is likely this jurisdiction receives an admonishment from the Governor AND loses access to CJIS materials (information on warrants, stolen vehicles, missing persons, etc.), information critical to the mission of a police department that poses a serious threat to the safety of officers and citizens,” the chief’s memo states.
After some changes were made, the audit eventually resumed and the city passed, sources have told the Star-Telegram.
Police officials declined to comment Thursday.
In retaliation for Birchett’s reports, the lawsuit alleges Gunn and Wright pressured Birchett’s supervisor, Ron Burke, to fabricate and falsify documents concerning Birchett’s employment performance and CJIS compliance, threatening Burke’s employment if he did not.
When Burke refused, the lawsuit states, Gunn and Wright mischaracterized Fitzgerald’s Dec. 20 memo to city management in an attempt to discredit Birchett and then placed Birchett on administrative leave in early January. They then fired him on Feb. 15, the lawsuit states.