The Arizona Republic
The damage from hackers who gained access to Arizona Department of Public Safety employee e-mails seems to have spread exponentially in the two weeks since the breach was discovered.
First, the hackers published the content of seven DPS employees' e-mails, and days later another group shared what its members found in the personal e-mail accounts of 11 DPS employees. Then, last week the group defaced Fraternal Order of Police websites around the state, posting online the user names and passwords for hundreds of officers and promising to release information on more than 1,000 other officers.
Investigators have determined that the hackers gained access to the DPS e-mails through information they gleaned by hacking into the websites of outside labor groups, DPS Director Robert Halliday said.
Regardless of where the security lapse originated, Halliday said, the scare has served as a wake-up call to DPS administrators in charge of computer security at the state's police agency. Halliday spoke this week to The Arizona Republic about the episode.
Question: What have you been able to piece together in the past two weeks about what took place?
Answer: I think they wanted people to know that they hacked into the Department of Public Safety. The reality is they came in through e-mails of personal accounts they got through labor groups. In our organization, we became somewhat complacent about our system and the security of it. We have people with passwords of 12345 and use them for every password in the world.
Q: Have you found that the hackers tried to access criminal-justice information?
A: We have not been made aware of that at this point, but there are people and organizations trying to hack into our site every day. That's not what this is about. . . . The most important thing that they got, I think - above any information bulletins, intelligence bulletins, operations plans - they got the names and addresses of our officers, and that concerned me the most.
Q: Have you gotten any reports of officers being threatened?
A: One time. We had an officer that was called. His wife is the one that answered the phone, there was some very abusive, vulgar language used, to include, "You might see a bomb show up." We immediately sent a team to his location. All of the people who were victims of this intrusion, we immediately contacted them and tried to make sure that everybody was aware of what was going on. To my knowledge, we've only had one person who was actually called and threatened with the possibility of a bomb.
Q: Where are you in terms of the criminal investigation?
A: I'm not at liberty to talk about that. There is an ongoing investigation of this system. We've asked for help from the federal side, we've asked for help from the industry side, we've asked for a lot of help to discern how we can make this thing better. My hope is that the ongoing investigation would, at some point in time, avail itself of the perpetrators and drag them into court and hopefully get some deterrent factor out of this.
Q: What steps are you taking internally to ensure a similar attack doesn't happen again?
A: We were in the process of migrating all of our folks over to a system with stronger passwords, and that was about two-thirds of the way done. When this popped up, there were about 100 people who had not come over. I shut them out at that point. If they want to get back in our system, which we encourage them to do, they've got to come and get their strong password. You've got that First Amendment right that you're always looking at. You can't tell somebody what they can and can't do with their personal e-mail accounts, but I think we can say, "If you're not going to abide by our policies and procedures, then we're not going to allow you to have access to our system and we'll have to get the information to you like we did 30 years ago."
Q: Some of the private-account e-mails contained information that officers thought would never see the light of day, including comments about supervisors and personnel at DPS and in other organizations. If your investigation requires you to look on their personal computers, how are you handling that?
A: That's already occurred. There were some things that were brought up in regards to people in the organization, but I don't really look at that with a jaundiced eye, frankly. People have comments. I'll share things with people that I trust. Those are the kinds of things that pop up. The last thing you want to do is hand your computer over to someone who's going to see you call them a jerk or whatever. To me that's just normal. There's nothing I would want to do about that. The other side of that is we explain to them (that) all we're looking at is the things that came into your computer.
Q: Do you have any sense yet on costs associated with security upgrades?
A: We haven't. You look at the system . . . I wouldn't put that real high on the list. But now I have a different perspective about that. I think everything that falls short of our officer safety and personnel safety becomes a priority.
Q: Why haven't you been able to say more about the security breach?
A: It's real simple: There's a criminal investigation going on. When we have a criminal investigation in any arena, we're pretty closed-mouth about any specifics. The last thing I want to do is put something out that's going to impinge on any investigation or give them information on how to divert off of something that's critical to investigation or prosecution.