[BreachExchange] County Employees Notified of Data Security Breach

Wed Dec 20 22:31:20 EST 2017

https://www.geaugamapleleaf.com/news/county-employees-notified-of-data-security-breach/

Geauga County employees and family members were alerted Dec. 15 to a
data security incident involving possible unauthorized access to and
acquisition of their personal information provided in connection with
their employment with the county.

Geauga County Auditor Frank J. Gliha informed those affected about the
incident in a Dec. 15 letter, which the Geauga County Maple Leaf
obtained Tuesday.

“At this time, we have no information indicating that any of your
data, including your Social Security number, has been inappropriately
used by anyone,” Gliha said. “However, as part of our continued
commitment to the security of our employee’s data, we are providing
this notice as a precaution and to let you know about some steps you
can take to protect yourself.”

WHAT HAPPENED

On Oct. 25, law enforcement executed a search warrant at the rental
home of former Geauga County IT Director Stephen Decatur following his
arrest for allegedly embezzling more than $250,000 from the county.

Decatur headed the Automatic Data Processing Center, which is part of
Gliha’s office. According to its website, the ADP automates county
functions, like accounting, payroll, water bills and personal property
taxes, among others.

In the course of the search, officials seized a number of Decatur’s
personal electronic devices, including a “drive” that contained a
spreadsheet Decatur had prepared to comply with Affordable Care Act
requirements.

“The spreadsheet contained the personal information, including name,
address, Social Security numbers and dates of birth of individual
Geauga County employees and, in some instances, their spouses and
children,” Gliha said.

The spreadsheet also contained the name of the county employment
agency of each employee as well as his or her employment status.

“Mr. Decatur was not authorized to bring the drive home nor was he
authorized to work on it from home,” Gliha said. “At this time, we are
not aware of any connection between the pending criminal charges
against Mr. Decatur and the drive with employee information that law
enforcement seized from (his) home.”

WHAT IS THE AUDITOR’S OFFICE DOING ABOUT IT

Gliha said his office is working with the Geauga County Prosecutor’s
Office and a national forensic firm to review the incident.

“To date, we have seen no evidence of any unauthorized access to or
use of the employee data on the drive,” Gliha said. “In addition, the
forensic investigator that we are working with did a search of certain
websites known to be used by criminals and saw no evidence of this
database of Geauga County employees on the Dark Web.”

The auditor’s office also is working to enhance its policies and
procedures for securing employee’s personal data, including limiting
the use of drives and devices that can store personally identifiable
information, Gliha added, as well as changing all employee computer
passwords and conducting training to increase cyber awareness.

WHAT CAN EMPLOYEES DO

Even though there is no evidence of any unauthorized use of data,
Gliha told employees to remain vigilant to the possibility of fraud
and identity theft by reviewing account statements for any
unauthorized activity.

“If you find any unauthorized or suspicious activity, you should
contact your credit card company or financial institution immediately
and the Geauga County Prosecutor’s Office,” Gliha said.

The county also is offering employees and their family members a free
one-year membership and use of the fraud detection tools available
through Experion IdentityWorks.

“This product provides you with superior identity detection and
resolution of identity theft,” he said.

He added enrollment was free and would not harm anyone’s credit score.

“We apologize for any inconvenience caused to you as a result of this
issue and want to reassure you that maintaining the confidentiality of
your information remains a priority to us,” Gliha concluded his
letter.

Decatur, who is free on bond, is charged with having an unlawful
interest in a public contract, a fourth-degree felony.

According to a complaint filed Oct. 25 in Chardon Municipal Court, the
58-year-old Decatur, acting as a public official, made payments to a
fictitious company, owned and operated by Stephanie E. Stewart, his
daughter.

>From November 2016 to Sept. 28, 2017, “Decatur and Auditor Frank Gliha
have authorized the payment of $259,700.00 to SMCS Tech for Geauga
County Automated Data Processing service without contracts or service
agreements,” the complaint stated.

It also stated “SMCS Tech issued cashier’s checks to Stephen Decatur
that were deposited into his personal account as recently as July 29,
2017.”

On Nov. 27, Decatur’s case was bound over to the Geauga County Court
of Common Pleas. The next day, Ohio Supreme Court Chief Justice
Maureen O’Connor appointed retired Wayne County Common Pleas Court
Judge Robert J. Brown to preside over the case.