County agrees to spend up to $100,000 to fix computer security breach

 

CLINTON—A computer security breach in Anderson County could have affected about 1,800 full-time and part-time government employees, and the Anderson County Commission has agreed to spend up to $100,000 to fix it.

Officials said the breach was discovered in the “later part of July.” But they declined to say who discovered it and how. The breach is under investigation by the Anderson County Sheriff’s Department, with technical support from other unnamed law enforcement agencies.

Natalie Erb, the new finance director in Anderson County, offered potential solutions to commissioners during a Monday evening meeting. The options included a lower-cost option of reformatting the computer equipment, or magnetically “wiping” it, and possibly reusing the gear, or a more expensive option of replacing the machines, including two servers in the Accounting Department and 26 workstations.

The consensus among commissioners—especially since confidential employee information could have been jeopardized—was that it would be better to start over with new, more state-of-the-art equipment that would not have any potential security risks remaining inside, at least not from the security breach that is currently being investigated. Commissioners voted 16-0 to spend up to $100,000 to address the problem. That motion was made by Commissioner Chuck Fritts, who was one of those who raised concerns about how employees might have been affected.

Commissioners also approved, on a voice vote with no opposition, a motion to assign Erb the responsibility of securing and operating the county’s information technology, or IT, system, and to contract for technical expertise to operate and secure it. That motion was made by Commissioner Myron Iwanski.

Iwanski, who is chair of the county’s Finance Committee, said the breach is very serious and could personally affect employees as well as the integrity of the county’s financial system. County employees have been notified about the breach.

“This is a very important, complex, and urgent matter,” Iwanski said. “The investigations of the breach by law enforcement continue and are likely to take some time to complete.”

Erb, who is working with contractor Brian Young of IT Expertise, said she has spent about $7,000 so far.

Here is the breakdown of the estimated costs:

• IT technical support—$28,000. That money would be used to install two new servers and help the county get through a transition period.
• 26 workstations—$36,000. Erb had given commissioners the option of replacing the workstations later, but several commissioners, including Angeleque McNutt and Philip Warfield, said they’d like to start with a system that is safe. “I think if we’re going to do it, (let’s) do it right,” Warfield said. Other commissioners agreed.
• Two new servers in the Accounting Department—$12,000. Erb said those servers are in the most immediate need of replacement. McNutt and Commissioner Steve Mead were among those who questioned “wiping” the existing servers, as opposed to buying new ones. They raised questions about whether the county might have to turn around and buy new equipment sometime soon anyway, after paying for a magnetic wiping, and Mead wanted to make sure the system was protected from internal and external hacks. “Long term, it’s going to be cheaper to have a system that we know is right,” Mead said.
• An emergency IT contract—$7,000. This is the money spent starting in July in response to the breach.

Anderson County Human Resources Director Russell Bearden said the security breach has been a grave concern for employees. The county is working with about four companies that could provide help to employees, he said. It’s hard to put a price tag on what it will cost, but it will be large, Bearden said. Still, the county wants to take care of its employees and dependents, he said.

Erb said the county will have to address its internal policies and email archiving, and passwords will have to be changed. Anderson County should have an internal IT manager, given the amount of information it has and the size of its staff, Erb said.

Anderson County Mayor Terry Frank wanted assurances that nothing would be lost if the servers are “wiped,” and she wanted to know if emails will be backed up. Wiping the servers could destroy evidence that could help determine the cause of the breach, said Computer Systems Plus, the company that has managed county servers and software across several departments for more than a decade.

Frank also recommended that BCTI, which provides phone services to Anderson County, have a chance to use its engineers to look at the county’s computer system. That company could provide a third-party review at no charge, Frank said.

Anderson County Law Director Jay Yeager said everything will be backed up. Erb said a complete backup copy has already been sent to the Anderson County Sheriff’s Department, and the Accounting Department also has a backup copy.

Commissioners said the county wouldn’t have to get rid of its old servers, or possibly even “wipe” them, if new servers are purchased.

Yeager said it could take about three months to resolve the security breach and set up a new system.

He said investigators are working on the extent, type, and amount of data lost.

Yeager has sent a notice to all Anderson County employees and retirees, elected officials, school officials and the school board, Veterans Service members, and county contractors.

The compromised data could include confidential personal identifying data, including Social Security numbers, dates of birth, home addresses, health insurance information and claims, payroll information, bank accounts, routing numbers, Veterans Service Office benefit documents, and possible employee credit union account information, Yeager said in that notice.

The notice was sent last week to all Anderson County employees and retirees. Yeager also alerted elected officials, school officials and the school board, Veterans Service members, and county contractors.

The information was released last week as county officials complied with an amended state law dealing with data breaches that requires notification to anyone whose personal information—encrypted or not—may have been compromised by a hacking incident.

Yeager has recommended that anyone who may be affected should closely monitor their accounts and credit reports.

“If you notice suspicious activity on any of your accounts, please alert the Anderson County Human Resources and Risk Management Department immediately at (865) 457-5400, extension 300,” Yeager said. “We will inform you of any updates when they are received, provided the law enforcement investigation is not compromised.”

More information will be added as it becomes available.

 

Copyright 2016 Oak Ridge Today. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.