The City of Tulsa’s costly screw-up
The saga of the City of Tulsa hack-that-wasn’t-a-hack fascinates me and would be funny if it wasn’t such a costly foul-up. While the city’s IT manager is on paid administrative leave, Ian Silver of Fox23 provides some additional details , most notably:
- To their credit, the city had hired SecurityMetrics 18 months ago to periodically check their security for holes. The “hack” was a result of SecurityMetrics doing their job and finding a hole in the process.
- The city checked the IP address for the intruder but thought it might be a spammer. It appears they never checked with SecurityMetrics. I contacted SecurityMetrics, who provided the following statement:
SecurityMetrics conducts regular vulnerability scans for tens of thousands of clients each month and uses an identical process to notify all account managers of scan results following each scan completion. In addition, each client has 24/7 online access to their SecurityMetrics account which includes times of past and future scans, and individual scan vulnerabilities. Although there was no breach, we applaud the City of Tulsa for implementing a punctual and accurate response process.
So it seems the city could have easily checked its account online to see if there had been a scan at the time of the “intrusion,” but didn’t. Had they done that, it could have spared them a lot of time, money, and grief.
- In addition to paying SecurityMetrics, the city wound up paying $20,000 in mailings to 90,000 people whom they thought had been victims of a hack. They also paid $25,000 to True Digital Security to investigate what they thought was a hack. Why they didn’t ask SecurityMetrics to investigate the hack is not explained. Had they done that, they might have also averted the costly mailing and other fees.
- The city is hiring yet another firm to help them restructure their IT department so this type of thing doesn’t happen again.
It’s good that they detected a breach, and I don’t want to dismiss the importance of that. But the rest of this was a bit of a fiasco and re-structuring and improving communications may help avert a similar situation in the future. But what are other lessons to be learned here?