Fort Worth Chief Technology Officer Kevin Gunn presented the city council with an update on data security during the May 21 work session, along with addressing the recent lawsuit filed by a former employee.
“A lot of time, effort, energy, funding is invested in protecting these valuable resources,” Gunn said. “I can’t emphasize enough that we take it seriously and work 365 days a year.”
The whistleblower lawsuit, as it has become known, was filed in Dallas County on May 15. In it are allegations of numerous information security deficiencies:
*Hackers stole $515,000.
*Sensitive employee information on Internet accessible networks.
*Improper access to Criminal Justice Information Systems (CJIS) and falsification of CJIS compliance information.
*Protection of credit card data.
A former employee has claimed termination due to reporting of these items.
Gunn addressed each of the allegations independently. Here is his report:
Allegation: Hackers stole money.
*City and Imperial Construction where victims of a phishing email in October 2017.
*Accounts Payable staff received email and did not follow established procedure
*$693,625.77 sent to fraudulent account in October 2017 ($48,000 recovered).
*Reported to Fort Worth Police Department in January 2018, once notified by Imperial of non- payment.
*Reported to external auditor for review of controls; reviewed for employee fraud and deemed immaterial for final report.
*Council approval on April 3, 2018 for Risk Fund appropriation to cover the loss.
*Arrest made in May 2018.
*Direct deposit information for six employees was changed.
*Suspect, phishing email source.
*Payments of $16,007.35 were misdirected to a prepaid card account by scammers.
*Payroll staff notified FWPD in May 2018.
*Additional review procedures implemented for changes to banking information was put in place for all instances.
Allegation: Sensitive employee information accessible on the Internet.
*IT Solutions notified September 2018.
*Source was a third-party, supplemental benefits vendor web portal.
*The city notified the vendor, who immediately added additional authentication requirements.
*No indications that employee information was improperly accessed or released.
*Web portal does not display Social Security number, but employees can add dependent information.
Allegation: Improper access and falsified CJIS information.
*City received letters of compliance for all of the past CJIS audits, with the most recent in January.
*ITS staff met with FWPD command staff in May/June 2018 to implement plan to tighten CJIS compliance.
*Police identified ITS staff with access rights to CJIS, but no related job responsibilities.
*ITS performed updated background investigations of all staff and took appropriate action, continuing to review.
*Employee who filed whistleblower suit was tasked to mitigate the computer access issue.
*One incident of improper access by disqualified staff, report filed with DPS.
Allegation: Failed to protect credit card information.
Payment Card Industry Data Security Standards:
*In 2018 the city moved from Level 3 to Level 2 based on transaction volume.
*Water department is compliant; remainder of the city is compliant at Level 3, but not at Level 2.
*Followed normal process to submit a plan to be compliant by October.
*Quarterly progress reports, now monthly reports.
Going forward, Gunn noted the Data Security Program has:
*Placed an emphasis on reasonable approach to protecting city systems.
*Increased team to four staff.
*Turnover brought new staff to the team.
*Increased funding over the past three years.
*Upgraded systems and software.
*Added new protection measures.
District 4 Councilman Cary Moon said of the allegations and the report, “My concerns are the errors out there in the public sentiment that are not correct, the perception that we as a mayor and council are not transparent, and then to really make sure we as an organization have corrected some simple errors in our controls that should not have been made.”
Gunn also noted that, like most systems, Fort Worth’s is under constant attack. He said in the past 90 days the system:
*Blocked 456,900 attempted vulnerability exploits from the Internet.
*Blocked 17,400 HTTP brute force attempts on web applications.
*Blocked 33,400 Spyware downloads.
*Blocked 17,980 virus downloads.
*Blocked 10,200 attempts from users browsing malware hosting sites.
In the past 30 days, the system:
*Detected 106 malware downloads.
*Blocked 352 phishing campaigns.
*Investigated two potential data leaks comprising of 413 credentials.
*Investigated one potential brand protection case.
“The large majority of errors we’ve seen are human errors,” Mayor Betsy Price said. “You’ve got good protection in place, and it’s hard to stop those.”