x

Investigation: Your Life for Sale

6 years 10 months 4 days ago Tuesday, May 23 2017 May 23, 2017 May 23, 2017 9:36 PM May 23, 2017 in Investigations

BROWNSVILLE – The personal information of tens of thousands of Rio Grande Valley residents were put at risk, as estimated in a CHANNEL 5 NEWS investigation of a computer server found at a local flea market.

Tens of thousands of names, addresses and Social Security numbers were contained on files accessed without the need of a password. The server once belonged to Cameron County.

CHANNEL 5 NEWS obtained the server from an anonymous source, who described himself as a hacker. He said he found the treasure of information at the 77 Flea Market in Brownsville.

“I knew exactly what it was… I knew exactly what I had from the moment I saw it,” he said. “I saw this and I thought, you know, ‘This is a major security flaw.’”

The man said he knew the server was still accessible, because all six of its hard drives were still installed. However, he didn’t know at that point what was in it or how easy it would be to break into it.

CHANNEL 5 NEWS Chief Engineer Michael Leal evaluated how to get into the 15-year-old server. He loaded a small version of Windows allowing him to see the file system without inputting a password.

“Right now, I can see everything on this computer. It’s as though I logged on with Windows and everything’s available to me,” he said.

After accessing the file system, Leal said he discovered a law enforcement database easily accessible.  The database contained hundreds, if not thousands, of case files.

“I got their case number and I got their vehicle VIN number… Now, I have their Social Security number,” he said.

Within the case files, the Texas Application for Vehicle Title documents showed names, addresses, VIN numbers and Social Security numbers.

Joe Garcia, assistant attorney general at the Texas Attorney General’s Office and the Consumer Protection Division, said there are many risks at play. “A Social Security number is sufficient to file a tax return, open up credit card accounts, and get medical treatment, if necessary,” he said.

We also learned the server stored information from the Cameron County Tax Office and the county elections office. After looking at thousands of files, we found an even larger treasure trove in a single file.

The file was small enough to send in an email. The PDF document contained more than 900 pages of rows of names, addresses and Social Security numbers.

CHANNEL 5 NEWS took the findings to the Cameron County Tax Office, elections office, IT and the county judge. We wanted to know how it fell into unknown hands and who was responsible.

Cameron County Judge Eddie Trevino granted us an interview. He said he would speak for all the departments.

“We want to confirm that it was part of a particular auction,” he said.

Trevino said some county equipment taken out of service goes to auction. He said the county also has a policy that outlines how to destroy information before disposing of hardware.

“Not sure if it got auctioned off in the last year, two, three or four. I haven’t been able to determine that, but it was definitely after the policy was in place,” he said. “So, it’s a concern because it’s either the policy didn’t get followed properly - the information wasn’t removed, scrubbed, destroyed - or two, somebody was doing something that they’re not supposed to do and did this on their own.”

Trevino said the responsibility of destroying county information from hard drives falls on the county’s IT department. Cameron County Elections Administrator Remi Garza said the PDF was created in 2007 as a cross-reference of who’s eligible to vote.

“Based on the size and description of what you’ve given us, it’s actually a listing out of all the registered voters of Cameron County for that time,” he said.

CHANNEL 5 NEWS estimated some 30,000 identities were on the single document. Our door-to-door effort to tell people about our findings was minuscule, by comparison of other stories we’ve done before. We told potential victims we had their personal information. Some were surprised to see information so old. But they were still concerned about where it came from.

“We work for our own stuff and then for somebody just to take over this and take it apart. It’s just tough you know,” one resident said.

Several other trips to the 77 Flea Market amounted to nothing more. Still, we decided to go back one more time to find the vendor of the server.

CHANNEL 5 NEWS asked the vendor if he knew what he was selling. He told us he remembers buying several servers last year at an auction.

To our surprise, we found 22 more computers marked with Cameron County labels at his table. Inside of them, we found more hard drives. We paid him for all of them.

The hacker said he saw many county devices for sale the day he bought the server at the flea market.

“I could have easily just kept it, sold it online. That’s super easy,” he said. “I’m what you would call a white hat hacker. I go look for things that can affect people, and I help them out by not letting black hats get to it.”

Learn More: Hacker Lexicon: What are White Hat, Gray Hat, and Black Hat Hackers?

He said he’s concerned more computers could be out there. “All this information can be used to destroy people’s lives,” he said.

CHANNEL 5 NEWS deleted the sensitive video and shredded the copies that were made. We turned the server over to the Texas Attorney General’s Office. The other 22 newly purchased computers are secure in our headquarters. We will be looking at them and taking the necessary steps to make sure people’s information is secure.

CHANNEL 5 NEWS continues pushing Cameron County to account for the equipment and seek answers for the people whose information was mishandled. Trevino said he plans to bring up what happened to the commissioner’s court. He said he may recommend some changes, including putting an end to auctioning county hard drives.

Anyone concerned about their personal identity can contact one of the big three credit agencies and place an alert, according to the Better Business Bureau. The organization said doing that can cause creditors to notify you if someone is trying to open up a line of credit in your name. 

Link: Federal Trade Commission – Place a Fraud Alert

Link: IRS – Taxpayer Guide to Identity Theft

Link: IRS – Data Breach: Tax-Related Information for Taxpayers

More News


Radar
7 Days