Westfield IT director stops active cyber security breach after clerk-treasurer issues third-party contract 

0

Larsen

City of Westfield Director of Informatics Chris Larsen stopped what he believed was an active cyber-security breach occurring in Clerk-Treasurer Cindy Gossard’s office the night of July 26 and, in the process, found laptops belonging to a third-party contractor hired – but not identified – by Gossard. 

Larsen also discovered unknown software running on the city’s computers and city computers with dismantled hard drives in the office. 

Gossard

The breach occurred the same evening of the Westfield City Council meeting during which Gossard accused the city of using BeyondTrust, a software the city has used in some capacity since 2011, as spyware on all six computers in the clerk’s office and accessing and potentially changing the data on those computers without her permission. She said her staff began noticing “glitches,” such as mouse icons moving without the employees’ input. There also was a saved user login for one of the staff member’s computers separate from the staff member’s login, she said.  

Westfield City Attorney Blake Burgan issued a letter to Will Webster, Gossard’s attorney, July 27 informing him of the breach. 

The letter stated Larsen stopped the active breach when he observed laptops in the clerk-treasurer’s office running an unknown software.

However, Gossard told Current there was no breach and that the third-party copying the city’s hard drives to their computers was conducting the investigation Gossard had informed the council about during its July 26 meeting. 

Gossard told the council that the clerk-treasurer’s office would be conducting its own investigation into the BeyondTrust software on the six office computers. However, when the city gave her a list of approved IT investigators, she opted for a different company that she and Webster refused to name. The company arrived at her office July 26, and after the council meeting, Larsen observed the computers copying the city hard drives, in what he thought was a cyber breach. 

In an attempt to stop the breach, he seized the unknown computers. The investigation company then planned to press charges against Larsen for theft but dropped those charges when Larsen returned the computers. The hard drives were still in the third-party investigator’s computers, and they were planned to be returned to the city July 29. 

(Larsen) also observed that city laptops were dismantled, with the hard drives removed. With all of the sensitive information on the city’s systems, including financial information, confidential vendor documents, confidential police and other data, Mr. Larsen was forced to take immediate action to preserve that information,” the letter from Burgan stated.

Gossard confirmed the investigator doesn’t work for the city and was contracted through the clerk-treasurer’s office. Gossard said she’s not sure what data was included on the hard drives.

“(The city) knew I wasn’t doing a security breach, I was doing my investigation,” Gossard said. “They stopped my investigation.”

Gossard said her investigator did copy the entirety of the computers’ hard drives and that the investigation could take two or three weeks to complete. 

(Gossard) doesn’t have authority to have somebody access city resources for any reason whatsoever,” said Manny Herceg, one of the city’s attorneys. “Hiring someone to access city systems for whatever purpose does not directly affect the (clerk-treasurer) job, and we know the computers hooked up to city computers were not city computers.”

Herceg has requested what data had been downloaded from the city computers but hasn’t received that information. 

“We need to be sure what happened. We need to be sure that our city employees’ data wasn’t downloaded,” Herceg said. 

In his letter, Burgan called the act “unprecedented.” 

“For the clerk-treasurer to act with such brazen disregard for the integrity of the city’s data is not only reckless, it is a clear breach of her duties. We need immediate answers about what occurred (July 26) and what information was removed from city property and systems. We also need the contact information of the third party and the alleged ‘contract’ the Clerk-Treasurer entered into with that party,” the letter stated. 


Current Morning Briefing Logo

Stay CURRENT with our daily newsletter (M-F) and breaking news alerts delivered to your inbox for free!

Select list(s) to subscribe to



By submitting this form, you are consenting to receive marketing emails from: Current Publishing, 30 S. Range Line Road, Carmel, IN, 46032, https://www.youarecurrent.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact
Share.