Purcellville Sorts Through Data Breach Stemming from 2017 Botched Investigation

The Purcellville Town Council held an emergency meeting Saturday afternoon to discuss a “data security incident” related to a flash drive filled with more than 9 gigabytes of personal information that escaped the town’s control two years ago.

Last month, a subcontractor of the town found that thousands of pieces of personal information contained on a flash drive in the possession of former interim town manager Alex Vanegas may have been shared with people outside the government. In response, the firm sent letters to those affected by the breach, but did so on town stationary—a choice that led some recipients to believe the letters were inauthentic. The Town Council also was unaware that the letters were sent out, which prompted the special meeting to sort through the situation.

According to a brief from Town Manager David Mekarski, during the investigation into now-discredited claims of misconduct against Police Chief Cynthia McAlister, Vanegas in fall 2017 directed IT Director Shannon Bohince to copy McAlister’s email box onto a flash drive. When Bohince delivered the drive to Vanegas, Bohince informed him that the drive should remain at the town hall. Vanegas agreed and delivered the drive to Georgia Nuckolls, the human resources consultant he recommended be hired to help with the investigation, which resulted in McAlister being fired.

In April 2018, Vanegas was fired after an investigation conducted by the Wilson Elser law firm found that the investigation into McAlister led by Vanegas and Nuckollswas not “fair, unbiased, and thorough”because Vanegas did notproperly manage it and was involved in inappropriate personal relationship with Nuckolls.McAlister was reinstated to her position.

The town subsequently lost track of the flash drive, although Bohince made a copy before handing it to Vanegas.

That same month, Brian Reynolds, the publisher of theLoudoun Tribunewho plead guilty to wire fraud in Federal District Court in June as part of an alleged effort to defraud investors and lenders supporting his newspaper, claimed to bein possession of McAlister’s entire email box. That prompted the town to file a claim with its insurance company, Virginia Risk Sharing Association.

VRSA hired the Beazley cyber services company and the McDonald Hopkins law firm to conduct a forensics investigation using Bohince’s copy of the flash drive. The firms found that the 9.1-gigabyte flash drive includes 1,800 pieces of information at risk.

On Oct. 17 this year, McDonald Hopkins sent letters out to individuals affected by the breach. Those include people who had been charged with or been victims of various crimes, people who have filed police reports and regional law enforcement officers. They include people living not only in Purcellville and Loudoun, but also in localities across the nation.

Mekarski said that while in most cases, the information pertained to reports filed by McAlister’s department, some of it includes Homeland Security terrorism alerts and communications between McAlister and Attorney General Mark Herring’s office and the FBI. He pointed out that the town has determined that no security-related incidents resulted from the breach.

The letters from McDonald Hopkins were sent using the town’s letterhead,but included the firm’s address and phone number, rather than the town’s.That sparked concern among many of the recipients, as they were unsure about the authenticity of the letters. Although the firm reviewed the letters with the town staff before sending them, the staff did not inform the Town Council that the letters were going out.

Upon hearing the concern, Vice Mayor Tip Stinnette called the emergency meeting Saturday to allow the town staff to bring the council up to speed.

“It’s better to put everybody into one room and answer some questions,” he said. “There’s a lot of disinformation out there.”

Mekarski said he could have done a better job giving advanced notice to the Town Council. “Our job as custodian of their personal information was to ensure that the abhorrent behavior that inflicted the town administration would not victimize other innocent individuals,” he wrote in an email to council members prior to Saturday’s meeting.

Mekarski said the town is now focused on risk mitigation and ensuring that people respond to the letters and have the chance to take the insurance company up on the opportunity to enroll in a free identity theft protection program.

Stinnette said the Town Council might discuss the situation further at its meeting this Tuesday night, Nov. 12.

pszabo@loudounnow.com

4 thoughts on “Purcellville Sorts Through Data Breach Stemming from 2017 Botched Investigation

  • 2019-11-10 at 9:57 pm
    Permalink

    The circus is still alive in Purcellville. It is one fiasco after another.

  • 2019-11-11 at 7:16 am
    Permalink

    Can someone in the Press Please ask the Mayor if he regrets picking Vanegas over Danny Davis. I think it is a legitimate question.

  • 2019-11-11 at 10:19 am
    Permalink

    Is the mayor tired of “Proving us wrong” after a completely packed town hall told the counsel to not let Rob Lohr be forced out. The famous last words after listening to an hour straight of people pleading with the TC to not make the mistake. “I will prove you all wrong” -Fraser ——several million dollars later, please stop proving us wrong, and acknowledge the previous 100+ years of town leadership was much better. Note: All TC members approved appointing Alex, but that was after 5 out 7 members decided to force our town manager out. Cool, Fraser, Ogeleman, Grimm, and Jimmerson. It’s hard to get someone with an established career and years of creditability at stake to go down a dishonest path, but someone desperately trying to establish a career is a much easier target.

  • 2019-11-12 at 4:01 pm
    Permalink

    This keeps getting more and more ridiculous. How to we get a vote to either replace these nitwits or vote of no confidence? How about Purcellville in-incorporate? Going to go bankrupt anyway. Hopefully people will be held accountable for their corrupt ineptitude.

Leave a Reply