An activist challenging Agriculture Commissioner Sid Miller in this spring’s Republican primary says Miller’s office erred by not alerting child victims of a personally exploitative computer hack for more than a month.
Trey Blocker, a lawyer and former legislative aide who’s worked as a lobbyist, said in a January commentary for the Odessa American that in October a Texas Department of Agriculture “employee’s laptop was attacked by ransomware, releasing critical personal information for over 700 Texas students and their families.”
“The hack,” Blocker wrote, “resulted in a loss of the most personal of information — names, Social Security numbers, birth dates, home addresses, and more — for Texas students and their families in almost 40 school districts. For reasons unknown, TDA did not notify the families affected until November 22, 2017 — 32 days after the breach.”
Blocker opined: “Though no organization is immune to cybersecurity attacks, this unnecessary delay in notification shows once again the failed leadership of Sid Miller. This is a matter of trust.”
At PolitiFact Texas, we don’t fact-check leadership. But we were curious: Did Blocker accurately recap the computer hack and timing of notices?
Blocker pointed us to a December Denton Record-Chronicle news story stating the state Agriculture Department had notified school districts about Nov. 22 — 27 days (or 19 business days) after the Oct. 26 “malware attack” on an employee’s computer resulting in a data breach exposing the personal information of students in 39 school districts.
The newspaper said the districts, mostly in North and East Texas, ranged in size from the 138-student Karnack district near Louisiana to the 15,185-student Crowley district near Fort Worth. The Agriculture Department, the story said, “oversees the federal nutrition program that provides school breakfasts and lunches. Because of that, the agency identified more than 700 students whose personal information might have been stolen by an unauthorized person. Officials said that information could include names, home addresses, birth dates, phone numbers and Social Security numbers of students and their families.”
A Texas Agriculture Department spokesman, Mark Loeffler, told the newspaper: “We have no indication right now that any of this information has been misused. We wanted to make sure we knew exactly what the scope was and how many pieces of personal information were compromised before we sent anything out. We had to go through a manual process to confirm that.”
Loeffler said that it continues to look like no information was illicitly taken from a laptop that was probed by malware — not ransomware, which implies an outside party seeking a payment to unfreeze a computer — after the worker clicked on a dangerous link.
“This is a very human error. This is the same mistake millions of people make every day,” Loeffler said. Also, he said by email, while the forensic analysis continues, “TDA fully expects that no data ever left the device.”
After the fateful afternoon click, Loeffler said, the Texas Agriculture Department soon heard from the Texas Department of Information Resources that malware had been introduced.
Elliott Sprehe of the Department of Information Resources told us that the agency’s Network Security Operating Center inspects and potentially blocks malicious internet traffic going to and from state agencies. In this case, Sprehe said, the center’s tools saw what was potentially malware on an Agriculture Department computer and alerted that department’s staff.
Sprehe said: “The traffic pattern DIR reported was indicative of either ransomware or hidden” click fraud activity, which dictionary.com defines as the “fraudulent practice of clicking many times on an online advertisement to generate the small fee charged to the advertiser per click, thereby harming the advertiser or benefiting the host website.”
Loeffler estimated to us that the laptop was open to malicious probes on the day in question for about an hour before it was shut down, with a copy of its hard drive subsequently made for “digital forensic review.”
Most recently, Loeffler advised, the Agriculture Department determined through a file-by-file review that out of some 5,000 items on the laptop, less than 200 “could have had any combination of personal identifying information that would matter to anybody who wanted to use it maliciously. Of the 200,” Loeffler said, probably less than 50 contained the “perfect storm” of someone’s date of birth, Social Security number and name.
Brian Calkin, a vice president at the Multi-State Information Sharing and Analysis Center, authorized by the Homeland Security Department, told us the center annually conducts 150 to 200 post-incident reviews for state and local agencies. Those reviews typically take two to four weeks to complete — making the Agriculture Department’s notification timeline ordinary. “You’ve got to allow time for them to see what occurred,” Calkin said.
We also heard back about the timing of the notifications to districts from Lance Hayden, a computer security expert who teaches in the University of Texas School of Information. Hayden told us that according to data analysis from the International Association of Privacy Professionals, “the average time from an organization discovering a breach to when they report it runs at about 30 days. Using that metric, the TDA’s notification at 27-32 days would be very typical of this sort of incident,” Hayden wrote.
Blocker said the department led by Miller didn’t notify more than 700 Texas students about a computer hack releasing critical personal information including Social Security numbers until 32 days after the breach.
This claim has an element of truth in that the agency alerted districts to the malware attack exposing personal information nearly a month later — though that time lag wasn’t unusual, experts told us. Most significantly, the agency says it hasn’t confirmed the capture or misuse of any personal information from the laptop. As a result, we found no support for Blocker’s claim that the incident “resulted in a loss of the most personal of information.”
On balance, we rate Blocker’s statement Mostly False.
Statement: Says the Texas Department of Agriculture didn’t notify over 700 Texas students about a computer hack releasing critical personal information including Social Security numbers until 32 days after the breach.