An activist challenging Sid Miller for the 2018 Republican nomination for Texas agriculture commissioner says the first-term incumbent muffed by not alerting child-victims of a personally exploitative computer hack for more than a month.
Trey Blocker, a lawyer and former legislative aide who’s worked as a lobbyist, said in a January 2018 commentary for the Odessa American that in October 2017, a Texas Department of Agriculture "employee’s laptop was attacked by ransomware, releasing critical personal information for over 700 Texas students and their families.
"The hack," Blocker wrote, "resulted in a loss of the most personal of information — names, Social Security numbers, birth dates, home addresses, and more — for Texas students and their families in almost 40 school districts. For reasons unknown, TDA did not notify the families affected until November 22, 2017 — 32 days after the breach."
Blocker opined: "Though no organization is immune to cybersecurity attacks, this unnecessary delay in notification shows once again the failed leadership of Sid Miller. This is a matter of trust."
We don’t judge leadership. But did Blocker accurately recap the computer hack and timing of notices?
Candidate cites news story
To our emailed inquiry, Blocker pointed us to a December 2017 Denton Record-Chronicle news story stating the Agriculture Department had notified districts about Nov. 22, 2017 — or 27 days (or 19 business days) after the Oct. 26, 2017, "malware attack" on an employee’s computer resulting in a data breach exposing the personal information of students in 39 school districts.
The newspaper said the districts, mostly in North and East Texas, ranged in size from the 138-student Karnack district near Louisiana to the 15,185-student Crowley district near Fort Worth. The Agriculture Department, the story said, "oversees the federal nutrition program that provides school breakfasts and lunches. Because of that, the agency identified more than 700 students whose personal information might have been stolen by an unauthorized person. Officials said that information could include names, home addresses, birth dates, phone numbers and Social Security numbers of students and their families," the story said.
A TDA spokesman, Mark Loeffler, told the newspaper: "We have no indication right now that any of this information has been misused. We wanted to make sure we knew exactly what the scope was and how many pieces of personal information were compromised before we sent anything out. We had to go through a manual process to confirm that."
Our search of the Nexis news database for coverage of the incident led us to learn that the Longview News-Journal was the first news organization to report the incident. Its Nov. 30, 2017, story was accompanied by a two-page statement from Miller summarizing the "attack incident" and providing a chart specifying the districts at risk.
When we queried TDA, Loeffler noted that state law doesn’t set a hard deadline for notifying individuals affected by a computer breach. Section 521.053 of the Texas business and commerce code states the disclosure of a breach "to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person" shall occur "as quickly as possible."
And why did it take nearly a month for the agency to notify districts? "It took a substantial amount of time to identify what happened," Loeffler said in January 2018. "We’re still putting the pieces together." Loeffler said the notification of districts "was made out of an abundance of caution. Commissioner Miller made the decision to notify even though we had no information that any data had left the system."
Loeffler said further that it continues to look like no information was illicitly taken from the laptop, which he said was actually probed by malware--not ransomware, which implies an outside party seeking a payment to unfreeze a computer--after the worker clicked on a dangerous link.
"This is a very human error. This is the same mistake millions of people make every day," Loeffler said. Also, he said by email that while the forensic analysis continues, "TDA fully expects that no data ever left the device."
After the fateful afternoon click, Loeffler said, TDA shortly heard from the Texas Department of Information Resources that malware had been introduced.
Elliott Sprehe of the DIR separately told us by email that the agency’s Network Security Operating Center "inspects and potentially blocks malicious internet traffic going to and from state agencies. In this case, Sprehe said, the NSOC’s tools saw what was potentially malware on a TDA computer" on Oct. 26, 2017, and at about 4:30 p.m. that day alerted TDA staff to investigate and resolve the issue.
Sprehe said: "The traffic pattern DIR reported was indicative of either ransomware or hidden" click fraud activity, which dictionary.com defines as the "fraudulent practice of clicking many times on an online advertisement to generate the small fee charged to the advertiser per click, thereby harming the advertiser or benefiting the host website."
Loeffler estimated to us that the laptop was open to malicious probes on the day in question for about an hour before it was shut down with a copy of its hard drive subsequently made in Austin for "digital forensic review."
Most recently, Loeffler advised, TDA determined through a file by file review that out of some 5,000 items on the laptop, less than 200 "could have had any combination of personal identifying information that would matter to anybody who wanted to use it maliciously. Of the 200," Loeffler said, probably less than 50 contained the "perfect storm" of someone’s date of birth, social security number and name.
Notice to districts
We also scrolled TDA web pages devoted to the federally funded free- and reduced-price school meal programs. That’s where we spotted an undated statement headlined "Security Notice" stating that after the employee’s laptop was compromised by the attack, "some students in school districts throughout Texas may have been potentially impacted by the breach."
The statement also says:
"The information exposed on the employee's laptop included names, social security numbers, home addresses, birth dates, and personal phone numbers of the affected students and their families. To date, TDA's Information Security Officer (ISO) has identified more than 700 students whose sensitive personal information was, or is reasonably believed to have been, exposed to acquisition by an unauthorized person.
"It is important to note that, to date, TDA’s ISO has not discovered any evidence to suggest misuse of the information that was compromised by the ransomware exploit. TDA recognizes the implications of this breach and continually evaluates agency processes and protocols to reduce future occurrences."
Finally, the statement urges potentially affected individuals to contact three major U.S. credit bureaus to activate free fraud alerts on behalf of affected students.
We asked Sprehe if it typically takes about a month to alert possible victims of malware attacks. Sprehe replied: "Due to the complexity and uniqueness of each security incident, there is no way to approximate this."
Sprehe and Loeffler each mentioned the Multi-State Information Sharing and Analysis Center, authorized by the Department of Homeland Security. Loeffler specified that the center was handling the forensic review of the TDA laptop’s hard drive.
When we followed up, the center declined to comment on its review of the TDA incident.
But generally, a center vice president told us the center annually conducts 150 to 200 post-incident reviews for state and local agencies. Those reviews, Brian Calkin said, typically take two to four weeks to complete--making the TDA’s notification timeline ordinary. "You’ve got to allow time for them to see what occurred," Calkin said.
We also heard back about the timing of the notifications to districts from Lance Hayden, a computer security expert who teaches in the University of Texas School of Information. By email, Hayden told us that according to data/analysis from the International Association of Privacy Professionals, "the average time from an organization discovering a breach to when they report it runs at about 30 days. Using that metric, the TDA’s notification at 27-32 days would be very typical of this sort of incident," Hayden wrote.
We told Blocker that the agency had yet to find that any personal data was misused in the wake of the attack. Blocker replied by email that possible victims still should have been informed as soon as possible. "That is the responsible thing to do given the potential harm that could come to these students and their families," he wrote.
Blocker said the department led by Miller didn’t notify more than 700 Texas students about a computer hack releasing critical personal information including Social Security numbers until 32 days after the breach.
This claim has an element of truth in that the agency alerted districts to a malware attack exposing personal information nearly a month after the attack--though that time lag wasn't unusual, experts told us. Most significantly, the agency says it hasn't confirmed the capture or misuse of any personal information from the laptop. As a result, we found no support for Blocker's claim that the incident "resulted in a loss of the most personal of information."
On balance, we rate Blocker’s statement Mostly False.
MOSTLY FALSE – The statement contains an element of truth but ignores critical facts that would give a different impression. Click here for more on the six PolitiFact ratings and how we select facts to check.