Breach puts information in peril

Breach puts information in peril
Breach puts information in peril

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Josh Rabe
Staff Writer
August 25, 2007

Someone hacked into computers at three Oklahoma law enforcement agencies 
and may have stolen private information meant only for police use, the 
state Department of Public Safety announced Friday.

Details of the extent of the security compromise remained sketchy 
Friday, but officials said only the Elk City and Eufaula police 
departments and the Kiowa County Sheriff Department were affected.

The Department of Public Safety is urging anyone who has had contact 
with those agencies to check for any suspicious charges on credit cards 
or to obtain a credit report as soon as possible. Even people pulled 
over for a traffic stop but not given a ticket could be at risk.

"Because this is an ongoing investigation, we are not able to release a 
lot of information,=E2=80=9D said Capt. Chris West, spokesman for the Oklahoma 
Highway Patrol.

West said he could not elaborate on how long security had been 
compromised at those locations or how many people may be affected by the 
security breach.

"We believe it is a small number of individuals,=E2=80=9D West said. "Those 
individuals will be contacted by the involved law enforcement agency.=E2=80=9D

What was affected

The breach involved information used by the Oklahoma Law Enforcement 
Telecommunications System, a statewide computer network used by 
dispatchers to obtain instant access to all types of local, state and 
federal law enforcement databases.

Police dispatchers typically use the system to verify the status of 
driver licenses, vehicle registration and to check for outstanding 
warrants and criminal history.

Gene Thaxton, telecommunications director for the Department of Public 
Safety, said central files for the system are stored at his agency and 
were not affected by the breach. The system is accessible at roughly 380 
terminals statewide at law enforcement agencies.

Any information accessed by dispatchers that was displayed on their 
computer screen may have been sent to a third party by a computer virus 
found on the three affected computers.

Both driver license numbers and Social Security numbers are listed in 
the database along with names and addresses, Thaxton said.

How it happened

The security breach was the first discovered in the computer network, 
which has been in use since 1986.

West said computers law enforcement agencies use for the Oklahoma Law 
Enforcement Telecommunications System often serve a variety of other 
functions, including unrestricted Internet access.

Employees at the three agencies apparently accessed "inappropriate or 
undesirable Web sites,=E2=80=9D where viruses were unknowingly downloaded onto 
the computers, West said.

West said he could not elaborate on the type of sites in question, but 
Internet access at all 380 terminals has since been limited to a list of 
15 approved sites related to law enforcement.

Thaxton said the problem was discovered during a routine inspection of 
the system, which found private information was being sent to a third 
party outside law enforcement from those three computers.

West said hard drives were removed from the infected computers and have 
been sent to the FBI for forensic analysis.

A surprise for police

Eufaula Police Chief Don Murray said he first learned about the problem 
about 11 a.m. Friday.

Murray said the state provided the computer his dispatchers use to 
access the telecommunications system and he didn't know it was capable 
of doing anything else.

"I would have thought that was all they were restricted to do to begin 
with,=E2=80=9D Murray said.

Murray said he was surprised to learn that improper use of the computer 
may have led to the security breach and that he will take disciplinary 
action against anyone involved if the FBI can prove guilt.

Murray said he is urging anyone who has had contact with his officers 
within the past year to watch out for identity theft, but that state 
officials didn't provide him a specific time frame of the breach.

Elk City police officials were not available for comment, and Kiowa 
County officials didn't return a call seeking comment.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 

Site design & layout copyright © 1986-2015 CodeGods