An inmate at the Flagler County jail was able to Facebook live out of a GED class on Wednesday, a security breach that had been an issue in April and that the sheriff’s office had asked the county’s IT department–which handles the sheriff’s information technology–to address. The county did not.
The failure angered Sheriff Rick Staly, who is threatening to end the agency’s reliance on the county for IT. The incident led to the suspension of George Holloway, a long-time computer system analyst and IT manager in Flagler County government who is being blamed for the breach. Such breaches are not only security problems–and an embarrassment to the agencies–but could potentially compromise the jail’s hard-won accreditation.
“This is an unacceptable failure and calls into question the decision maker who took the shotgun approach to fix a minor issue and then did not really solve the problem,” the sheriff’s Chief Mark Strobridge wrote Cameron, on behalf of the sheriff, on Thursday in a hand-delivered letter. “I have no confidence in the person making this decision to ‘fix’ what should have been a very narrow scope of an issue. This leads me to believe the decision maker is incompetent or took a shortcut.”
County Administrator Jerry Cameron this afternoon confirmed that Holloway was suspended based on two alleged violations: first, that he did not address the sheriff’s issue when the sheriff’s office first alerted the county of a potential vulnerability in April. And second, that Holloway, after being ordered to stay off county computers–and being blocked from them–found a way to access them anyway through a back-door unknown to county officials, and download materials, some of which he’d requested through public record requests. Holloway, long a protégé of former Deputy County Administrator Sally Sherman, has a pre-disciplinary hearing early next week. He likely faces being fired.
Cameron, who was at a conference in Orlando Friday with the county’s human resources director, spoke with Staly, but said he could not reassure the sheriff just yet that the matter was resolved, or reassure himself that county records have not been compromised. “Until I get a full report on how it happened and what got compromised, I can’t put anybody at ease,” Cameron said with characteristic candor late this afternoon. “I’d like to tell you that there’s no damage done and everything is fine but I can’t be honest at the same time and say that. It is our hope that there is no damage.”
He was referring specifically to Holloway’s alleged breach of computer records. The inmate’s breach of jail security is the other issue.
William Medders is a 25-year-old resident of Bunnell and so frequent an offender that he’s been booked at the Flagler County jail 17 times in the last six years, mostly on non-violent crimes and probation violations. He’s been arrested three times in March and April, and has been at the jail since mid-April on grand theft and burglary, among other charges. Wednesday, he was taking a GED class as part of the jail’s Strive program, which is intended to help inmates reintegrate society with additional tools.
Cpl. Mita Nicholas was working Wednesday afternoon when she got a call from a concerned citizen saying Medders was broadcasting on Facebook Live at 1:54 p.m. from Classroom 2 at the jail. Nicholas logged into Facebook and confirmed the fact. “Please be advised,” Nicholas wrote in his disciplinary report, “in the footage you can clearly hear inmates Mcdermott and Swartz telling inmate Medders to tag them in the video. The video footage was approximately 2 mins and 29 secs long and has been shared by other Facebook viewers. When questioned, inmate Medders admitted to using a Bypass Proxy to access Facebook.”
Inmates are facing discipline “in accordance with Progressive Discipline due to the severity of the breach of security.” Brian Lee Swartz is a 26-year-old homeless man in jail since mid-April on grand theft and other charges. Michael E. McDermott is a 32-year-old Palm Coast resident, at the jail since last December on a grand theft and probation violation charges.
“It’s serious but it was preventable,” Stobridge said. Strobridge coordinated the agreement with the county that handed responsibility for IT to county staff. The arrangement is part of the agency’s efforts to share rather than duplicate resources. In his letter to Cameron, Strobridge refers to an April incident that resulted in the county cutting off the sheriff from all access to social media platforms, though the sheriff’s office uses some of those platforms, including Facebook and Twitter, extensively to connect with residents, issue alerts and disseminate profiles of department personnel and other popular features. The block “hampered” the department’s ability to investigate crimes and inform the public, Strobridge wrote, but access was restored–with the understanding that the security breach had been addressed.
The sheriff’s network is broken down into various portals, so that certain IP addresses may be white-listed (or considered free of blocks) while others are black-listed. “My assumption was the inmate facility issue was solved with the standard practice of locking-down the network router,” Strobridge wrote. Savvy users can also use proxy servers to circumvent many blocks. But it is also possible to prevent access to proxy servers.
Somehow, Medders slipped through.
“I don’t know exactly what happened over there on the tech side of the house, what I do know with certainty is they should not have been able to access this,” Strobridge said this afternoon. “This shouldn’t have happened based on the April discussion that had occurred. Those things could have been locked down.” The GED room with those particular devices was the only place where such a breach could have happened, Strobridge said.
Cameron said Holloway–the county employee who’s been suspended–was already on a performance improvement plan for violating security issues regarding web access. “I do not have any information that has he has damaged any of our data at this pt, that’s still being looked into. He accessed and downloaded information” after his suspension, Cameron said. “It’s a wake-up call for the county. We’ve got to compartmentalize more than we are.”