City Servers Hacked

[Townsend]

The wife received a letter as well from city contact 5 or six years ago.

The letter advises to contact one of three credit agencies to file for a fraud alert.  3 numbers were provided.

Experian's prompts were inactive so she moved to the next one.  Equifax has an automated system which files it for you but then sends you to an outsourced group to go over suggestions for other steps you might take.  She was unable to understand the first gentleman so she put him on speaker.  I was unable to understand him either and asked to speak with someone else.  His "supervisor" came on and she had a thicker accent.  I asked if I could speak to someone easier to understand and she got very angry.  I explained it was important to us to be sure to understand every word.    She transferred us to a dead line.

So that's fun.

The city of Tulsa line on the letter was unmanned.

I monitor our credit reports once a year.  I'm hoping the report she filed on the automated system was effective but I'll follow up to make sure.

Thanks City of Tulsa.  You've proven once again to be a pain in the exit.

[nathanm]

The city website is still down.  What the heck?

What the heck indeed. You'd think they could at least get the basic stuff up, even without all the fancy web apps and forms and whatever. That they were collecting information on their website (and storing it on the web server!) sufficient to create a risk of identity theft is just bizarre to me. The competence level is clearly extremely high in that organization.

[Townsend]

local fox tweet:

City website not hacked, no personal information taken, say city officials Monday. $20K spent on mailings to warn residents.

[nathanm]

Well, I commend them on their abundance of caution. 

[Townsend]

City Of Tulsa Website 'Hack' Was Only A Test

http://www.newson6.com/story/19687044/city-of-tulsa-website-hack-was-only-a-test

TULSA, Oklahoma - The City of Tulsa has confirmed that no personal information was compromised in a recent website hack. In fact, what they thought was a security breach was actually a test by a third-party firm hired by the City's Internet technology department.
"We had to treat this like a cyber-attack because every indication initially pointed to an attack," said City Manager Jim Twombly.

The third-party consultant had been hired to perform an assessment of the city's network for vulnerabilities. The firm used an unfamiliar testing procedure that was not immediately discovered, according to a City of Tulsa news release.

Through the testing procedure, the IT department was able to further secure and protect the system, servers and web users, the release states, with no compromise of customers' personal information.


"The good news is that we can now confirm that no personal information was accessed by an unauthorized source," said Tulsa Mayor Dewey Bartlett.

"In addition, we have used this opportunity to enhance our network security and strengthen processes that we would use to identify potential breaches."

The incident did cost the City about $20,000 for a mass mailing warning about 90,000 customers.

[nathanm]

And now I commend them for their inability to communicate within their own department. 

[Conan71]

Per the Whirled:

The city of Tulsa's Web site wasn't hacked after all, officials revealed Monday.

A third-party firm that periodically tests the city's networks used an "unfamiliar testing procedure" last month that city Information Technology personnel initially misinterpreted as an unknown breach, according to a city statement.

The city's Web site was offline for more than two weeks as an investigation was conducted and additional security measures were taken. Some functions, such as the public meeting agenda postings, are still not working.

City officials didn't realize it was the firm, Utah-based Security Metrics, until after 90,000 letters were sent to people who had applied for city jobs or made crime reports online warning them that their personal identification may have been accessed.

The mailing cost $20,000, officials said.

"We are dedicated to the security and protection of our employees and citizens first," City Manager Jim Twombly said.

"We had to treat this like a cyber-attack because every indication initially pointed to an attack."

Based on the best information available at the time, officials said, the city proceeded with the mailing to comply with state notification laws.

The firm has since confirmed that no personal identification was accessed in its testing procedure.

The city's KPMG efficiency study has recommended a complete review of the IT organization, including processes, practices an infrastructure.

Mayor Dewey Bartlett said that, as a result of this situation, he will expedite a request for proposals to get that review done.

"We have used this opportunity to enhance our network security and strengthen processes that we would use to identify potential breaches," he said.


Read more from this Tulsa World article at http://www.tulsaworld.com/news/article.aspx?subjectid=11&articleid=20121001_11_0_Thecit522369

[Gaspar]

There are currently 205 people employed by the IT department for the city.  The total salary amount we pay these folks is $10,769,342.00.

One of those people hired Security Metrics to test and maintain PCI compliance for the cite, and pays them every year to do so.  Chances are, because of the size of the city's bandwidth, they may even have an appliance supplied by Security Metrics.  Security Metrics also supplies them with a certificate of PCI compliance based on their results.  I can't for the life of me understand how someone could be unaware of this?

You would think, if there was evidence of "unauthorized access" it would be rather simple to reference back to the source.  Ok. . .it might take 10 minutes.

Somewhere in a building downtown, there is a moron collecting a city paycheck.

[sgrizzle]

[Gaspar]

It must have been really hard to track down in the cities server room.

[Townsend]

City IT Director Placed on Leave

http://kwgs.com/post/city-it-director-placed-leave

Mayor Dewey Bartlett said today that Chief Information Officer Tom Golliver has been placed on administrative leave with pay. The circumstances surrounding this action are related to a personnel issue and no further comment will be available.

Bartlett has named Tulsa Police Department Captain Jonathan Brooks as interim director of the Information Technology Department.

"Captain Brooks is a proven, experienced and successful manager with the Tulsa Police Department. He is a well-respected leader who can assist with the organizational demands of I.T. until this personnel issue is resolved," Bartlett said. "He has vast knowledge and training in safety and security practices that will benefit I.T. as its staff maneuvers the complexities of the technical systems, networks and connections with the public."

O o

[Hoss]

City IT Director Placed on Leave

http://kwgs.com/post/city-it-director-placed-leave

O o

[sgrizzle]

How did you not post this Hoss?

[godboko71]

I am speechless, a director of IT needs to be more then just a good manager... Who is running this trainwreck...

[sgrizzle]

I am speechless, a director of IT needs to be more then just a good manager... Who is running this trainwreck...

What I heard is that the guy made close to $200k for a government job, hired off of Williams I think. Veteran of the Williams<->Worldcom dotcom overpay cycle before the bust and IT people started being paid based on talent.