PolitiFact: Did state wait too long to warn of hack?

An activist challenging Agriculture Commissioner Sid Miller in this spring’s Republican primary says Miller’s office erred by not alerting child victims of a personally exploitative computer hack for more than a month.

Trey Blocker, a lawyer and former legislative aide who’s worked as a lobbyist, said in a January commentary for the Odessa American that in October a Texas Department of Agriculture “employee’s laptop was attacked by ransomware, releasing critical personal information for over 700 Texas students and their families.”

“The hack,” Blocker wrote, “resulted in a loss of the most personal of information — names, Social Security numbers, birth dates, home addresses, and more — for Texas students and their families in almost 40 school districts. For reasons unknown, TDA did not notify the families affected until November 22, 2017 — 32 days after the breach.”

Blocker opined: “Though no organization is immune to cybersecurity attacks, this unnecessary delay in notification shows once again the failed leadership of Sid Miller. This is a matter of trust.”

At PolitiFact Texas, we don’t fact-check leadership. But we were curious: Did Blocker accurately recap the computer hack and timing of notices?

Blocker pointed us to a December Denton Record-Chronicle news story stating the state Agriculture Department had notified school districts about Nov. 22 — 27 days (or 19 business days) after the Oct. 26 “malware attack” on an employee’s computer resulting in a data breach exposing the personal information of students in 39 school districts.

The newspaper said the districts, mostly in North and East Texas, ranged in size from the 138-student Karnack district near Louisiana to the 15,185-student Crowley district near Fort Worth. The Agriculture Department, the story said, “oversees the federal nutrition program that provides school breakfasts and lunches. Because of that, the agency identified more than 700 students whose personal information might have been stolen by an unauthorized person. Officials said that information could include names, home addresses, birth dates, phone numbers and Social Security numbers of students and their families.”

A Texas Agriculture Department spokesman, Mark Loeffler, told the newspaper: “We have no indication right now that any of this information has been misused. We wanted to make sure we knew exactly what the scope was and how many pieces of personal information were compromised before we sent anything out. We had to go through a manual process to confirm that.”

Loeffler said that it continues to look like no information was illicitly taken from a laptop that was probed by malware — not ransomware, which implies an outside party seeking a payment to unfreeze a computer — after the worker clicked on a dangerous link.

“This is a very human error. This is the same mistake millions of people make every day,” Loeffler said. Also, he said by email, while the forensic analysis continues, “TDA fully expects that no data ever left the device.”

After the fateful afternoon click, Loeffler said, the Texas Agriculture Department soon heard from the Texas Department of Information Resources that malware had been introduced.

Elliott Sprehe of the Department of Information Resources told us that the agency’s Network Security Operating Center inspects and potentially blocks malicious internet traffic going to and from state agencies. In this case, Sprehe said, the center’s tools saw what was potentially malware on an Agriculture Department computer and alerted that department’s staff.

Sprehe said: “The traffic pattern DIR reported was indicative of either ransomware or hidden” click fraud activity, which dictionary.com defines as the “fraudulent practice of clicking many times on an online advertisement to generate the small fee charged to the advertiser per click, thereby harming the advertiser or benefiting the host website.”

Loeffler estimated to us that the laptop was open to malicious probes on the day in question for about an hour before it was shut down, with a copy of its hard drive subsequently made for “digital forensic review.”

Most recently, Loeffler advised, the Agriculture Department determined through a file-by-file review that out of some 5,000 items on the laptop, less than 200 “could have had any combination of personal identifying information that would matter to anybody who wanted to use it maliciously. Of the 200,” Loeffler said, probably less than 50 contained the “perfect storm” of someone’s date of birth, Social Security number and name.

Brian Calkin, a vice president at the Multi-State Information Sharing and Analysis Center, authorized by the Homeland Security Department, told us the center annually conducts 150 to 200 post-incident reviews for state and local agencies. Those reviews typically take two to four weeks to complete — making the Agriculture Department’s notification timeline ordinary. “You’ve got to allow time for them to see what occurred,” Calkin said.

We also heard back about the timing of the notifications to districts from Lance Hayden, a computer security expert who teaches in the University of Texas School of Information. Hayden told us that according to data analysis from the International Association of Privacy Professionals, “the average time from an organization discovering a breach to when they report it runs at about 30 days. Using that metric, the TDA’s notification at 27-32 days would be very typical of this sort of incident,” Hayden wrote.

Our ruling:

Blocker said the department led by Miller didn’t notify more than 700 Texas students about a computer hack releasing critical personal information including Social Security numbers until 32 days after the breach.

This claim has an element of truth in that the agency alerted districts to the malware attack exposing personal information nearly a month later — though that time lag wasn’t unusual, experts told us. Most significantly, the agency says it hasn’t confirmed the capture or misuse of any personal information from the laptop. As a result, we found no support for Blocker’s claim that the incident “resulted in a loss of the most personal of information.”

On balance, we rate Blocker’s statement Mostly False.

Reader Comments ...

Next Up in Texas News & Politics

Jury deliberating in Crispin Harmel’s capital murder trial
Jury deliberating in Crispin Harmel’s capital murder trial

A jury began deliberating in the capital murder case of Crispin Harmel on Tuesday afternoon after more than two hours of closing arguments by prosecutors and defense attorneys. Prosecutor Julie Stone told jurors that Harmel was an “opportunistic monster” and said the defense’s story was ridiculous. She said the strangulation victim...
Union to AISD: Stop pursuing program noted in ex-board president’s text

Leaders of the Austin teachers union called Monday for the district to stop pursuing a program the board’s former president discussed in an inflammatory text message that led to her resignation earlier that day. Austin school board President Kendall Pace on Monday morning apologized for the phrases she used in the text message, which she sent...
Bird gets city OK to restart scooter rental, joining Pace bikes
Bird gets city OK to restart scooter rental, joining Pace bikes

Bird will be the early bird once again, it appears. The scooter-rental company, which released its vehicles onto Austin streets without city permission in early April, Tuesday was granted a city licence to operate yet again after a pause that began April 29 when the Austin officials threatened to crack down. Bird officials could not say definitely...
Man fatally shot in head Saturday outside South Austin bar, police say
Man fatally shot in head Saturday outside South Austin bar, police say

One man died and another has been charged with murder after they got into a fight last weekend outside a South Austin bar on Ben White Boulevard, Austin police said. Glenn Eugene Howell, 47, died from a gunshot wound to the head Saturday outside the Bender Bar & Grill on Ben White, between South First Street and South Congress Avenue, officials said...
Central Texas schools look to beef up security after Santa Fe shooting
Central Texas schools look to beef up security after Santa Fe shooting

In the aftermath of the Santa Fe High School shooting last week, Central Texas school officials are reviewing safety plans and working to tighten security, including for upcoming graduation ceremonies. Officials with several area school districts said this week they will continue to conduct drills, including for lockdown, lockout and evacuations. They...
More Stories