How cybersecurity issues have plagued Prince George’s Co. for years

New leadership was installed in Prince George s County s Office of Information System earlier this year with former director Wanda Gibson suddenly resigning or according to various inside the department being pushed out amid complaints about her management and the tradition fostered there More cyber stories Where do text spammers get your number You seemingly gave it to them Chinese hackers and user lapses turn smartphones into a mobile assurance problem Facts Doctors What to know and do about the dark web Gibson had been atop the Maryland agency since and in contemporary years began to generate formal complaints from employees working under her particular of which were substantiated by the investigations those complaints triggered Sources communicated WTOP that under her management along with the merry-go-round of deputies underneath her protection issues were only detected when agency leaders were alerted to the situation by outside monitors In one incident a vulnerability meant personal figures of county residents was possibly exposed to hackers though there s no evidence it was definitely obtained by bad actors In both cases the county downplayed the severity of the incidents which have not been previously disclosed The first occurred at the start of summer in when Russian hackers involved in what s known in Prince George s County as Urban Blizzard the county was among several governments around the country that were hacked were able to gain access into the county s infrastructure A assessment conducted by Microsoft described according to one independent cyber expert who saw it a basic level of cyber protection that was unacceptably low roughly akin to what a new structure would have before efforts were made to secure information A former OIT employee noted it was two months before the hack was detected and it s not clear what information may have been compromised A spokeswoman for Prince George s County administration acknowledged the situation and announced a sparse accounts were compromised and that was it She also announced the county was not affected systemically the way other governments around the world were Demanded why it wasn t disclosed publicly in she mentioned the county commented on it at the time but was unable to provide any record showing that comment An internet search discovered no reference to the circumstance Server vulnerabilities Then in June the county received an email from the Multi-State Information Sharing and Analysis Center a nonprofit organization that supports cybersecurity operations for over state and local governments In the email it warned of a server vulnerability that was detected Two former OIT employees who are familiar with that breach reported WTOP the servers contained the personal information of thousands of county residents and that they grew frustrated when little was done to forthwith remediate the situation One of the employees agreed to talk but admitted being worried about revealing too much about the information that was made vulnerable because of the sensitivity of it A county spokeswoman explained OIT ended up patching that server and after reviewing logs disclosed there was no record of a breach Certain documents related to the response evidenced it took a little over a week to solve A source involved at the time explained WTOP that outdated defense problems were to blame and suggested lax record keeping means the county would have no way of knowing if something was taken Just like any leadership organization you re going to give them a lot of personal information about you about your family stated John Loucaides a senior VP of customer operations with Eclypsium which specializes in infrastructure protection Those pieces of information are generally expected to be a few of the the bulk well protected attributes of your life The county has those records and has a responsibility to protect them he added Lessons gone unlearned Just a scant months before that circumstance but after the Russian hacking WTOP learned the county paid outside hackers to try to break into its system of computers essentially hiring someone from the outside to hack in and test the county s cyber defense systems Despite knowing when the attack was going to happen the hack itself triggered no alarms and went undetected In particular a summary of the test revealed there were no alerts sent to the county via email or telephone something that should have occurred The only alarm that was raised at all occurred when one of the hackers tried to log in from countries on two separate continents just minutes apart A subsequent account declared the alert that was triggered was not due to test activity I inevitably look at a isolated occurrence in cybersecurity as something that can happen to anybody because you got unlucky Loucaides reported But in this episode he noted there didn t seem to be any lessons learned If you are not investing in cybersecurity properly then this will be a pattern and this will not be an isolated development he reported That s what I m concerned about with this particular issue Those undetected incidents would go on to be mentioned in an anonymous whistleblower complaint filed against Gibson earlier this year that reported OIT had not properly published the breaches that had gone undetected by the county s cybersecurity teams Hostile work context It all happened during a time where the circumstances inside OIT could be summed up as toxic according to former and current employees The complaint also raised questions about contracts given out by OIT to vendors around the country various that are worth hundreds of thousands of dollars for what a source commented was usually minimal work It s unclear how much of it was investigated by the county s compliance office since Gibson left her post after it was filed Multiple calls made to Gibson have gone unanswered A source confirms however that Gibson was also investigated several times by other county watchdog agencies including the Office of Human Stock Management and the Office of Ethics and Accountability Multiple complaints filed by employees through OHRM including accusations of a hostile work climate racial discrimination and retaliation were investigated independently While multiple were not substantiated several of them were Still Gibson remained in her position despite those findings The county would neither comment on the circumstances that eventually led to Gibson s departure nor was there any response to the findings of the investigations triggered by employee complaints Source