In addition to the charges of theft by a public servant and misapplication of fiduciary property, former Brownsville, Texas, fire chief Carlos Elizondo now faces security breach charges. According to KRGV News, Elizondo was indicted by a grand jury in an 11-count case of computer security breach charges.
After Elizondo was suspended from the fire department on 9 October 2017, he allegedly logged into a computer network 11 different times between 11 October and 23 November 2017. Elizondo was reportedly attempting to access the emergency reporting system portal for the Brownsville Fire Department without consent of the City of Brownsville.
Elizondo was arrested in May outside of his attorney’s office on two misdemeanor charges of computer security breach, according to a 3 July report from Firehouse. Infosecurity Magazine contacted the Brownsville Fire Department, who declined to comment on the ongoing investigation.
Whether it’s the Office of Personnel Management breach in 2015, the attack on the City of Atlanta or the string of municipalities that have been hacked because of a vulnerability in Click2Gov, it is clear that government agencies are equally as vulnerable as private companies to attacks from outside and within.
In a 4 July post on best security practices for public entities, BenefitsPRO wrote, “Public agencies use an extensive network of critical systems and communication that operate over potentially vulnerable channels.”
Failure to deny former employees access to networks creates security risks, particularly from malicious insiders, as was the case with the former employee at Tesla who is being sued for hacking and theft, according to CNN.
Yet it is often the case that former or suspended employees have continued access with their login credentials long after they have left their place of employment. In the case of the former Brownsville fire chief, the fact that he was reportedly told not to access the emergency reporting system was insufficient. Though Elizondo’s intent remains unclear, the charges are a reminder that public agencies are susceptible to insider threats.
“It’s one thing to have an insider try to snoop around systems and files, but it’s another issue altogether if they’re successful,” said Ken Spinner, VP of global engineering at Varonis.
“The company needs to have the controls in place to ensure these insiders don’t get very far when they try to access valuable information. Not all threats to your company are external, and no company is safe from insider threats.”