Officials: City's website not hacked after all
BY BRIAN BARBER World Staff Writer
Monday, October 01, 2012
10/01/12 at 5:58 PM
Tulsa’s chief information officer, Tom Golliver, was placed on paid administrative leave Monday after it was revealed that the city’s website hadn’t been hacked after all.
Golliver, 57, has worked for the city of Tulsa since November 2007 but has led the Information Technology Department only since the start of this year.
He earns $138,405 annually and previously worked for Level 3 Communications and WilTel Communications.
A third-party security firm that was hired to do periodic, unannounced tests of the city’s networks for vulnerabilities used an “unfamiliar testing procedure” last month that city IT personnel misinterpreted as an unknown breach, according to a city statement.
The city’s website was offline for more than two weeks as an investigation was conducted and additional security measures were taken.
Some website functions, such as the public meeting agenda postings, are still not working.
City officials didn’t realize that the apparent breach was caused by the security firm, Utah-based SecurityMetrics, until after 90,000 letters had been sent to people who had applied for city jobs or made crime reports online over the past decade, warning them that their personal identification information might have been accessed.
The mailing cost the city $20,000, officials said. The letters encouraged those contacted to closely monitor their credit reports for suspicious activity.
“We are dedicated to the security and protection of our employees and citizens first,” City Manager Jim Twombly said Monday.
“We had to treat this like a cyber-attack because every indication initially pointed to an attack.”
Based on the information available at the time, the city proceeded with the mailings to comply with state notification laws, officials said.
In the internal probe of what happened, workers reviewed network logs and discovered that the breach was caused by SecurityMetrics. The firm informed the city Friday that no personal identification was accessed in its testing procedures.
City spokeswoman Michelle Allen said she didn’t know why SecurityMetrics wasn’t contacted immediately by city information technology workers after the suspected network breach.
“We are still trying to figure that out,” she said, adding that the IT Department will be having a personnel and organization review.
The city’s KPMG efficiency study, conducted in 2010, recommended an overhaul of the IT organization, including processes, practices and infrastructure.
Mayor Dewey Bartlett said that as a result of this situation, he will expedite a request for proposals to get that review done.
“We have used this opportunity to enhance our network security and strengthen processes that we would use to identify potential breaches,” he said.
Bartlett has named Tulsa Police Capt. Jonathan Brooks as the IT Department’s interim director.
“Capt. Brooks is a proven, experienced and successful manager with the Tulsa Police Department,” the mayor said. “He is a well-respected leader who can assist with the organizational demands of IT until this personnel issue is resolved.
“He has vast knowledge and training in safety and security practices that will benefit IT as its staff maneuvers the complexities of the technical systems, networks and connections with the public.”