The Purcellville Town Council held an emergency meeting Saturday afternoon to discuss a “data security incident” related to a flash drive filled with more than 9 gigabytes of personal information that escaped the town’s control two years ago.
Last month, a subcontractor of the town found that thousands of pieces of personal information contained on a flash drive in the possession of former interim town manager Alex Vanegas may have been shared with people outside the government. In response, the firm sent letters to those affected by the breach, but did so on town stationary—a choice that led some recipients to believe the letters were inauthentic. The Town Council also was unaware that the letters were sent out, which prompted the special meeting to sort through the situation.
According to a brief from Town Manager David Mekarski, during the investigation into now-discredited claims of misconduct against Police Chief Cynthia McAlister, Vanegas in fall 2017 directed IT Director Shannon Bohince to copy McAlister’s email box onto a flash drive. When Bohince delivered the drive to Vanegas, Bohince informed him that the drive should remain at the town hall. Vanegas agreed and delivered the drive to Georgia Nuckolls, the human resources consultant he recommended be hired to help with the investigation, which resulted in McAlister being fired.
In April 2018, Vanegas was fired after an investigation conducted by the Wilson Elser law firm found that the investigation into McAlister led by Vanegas and Nuckolls was not “fair, unbiased, and thorough” because Vanegas did not properly manage it and was involved in inappropriate personal relationship with Nuckolls. McAlister was reinstated to her position.
The town subsequently lost track of the flash drive, although Bohince made a copy before handing it to Vanegas.
That same month, Brian Reynolds, the publisher of the Loudoun Tribunewho plead guilty to wire fraud in Federal District Court in June as part of an alleged effort to defraud investors and lenders supporting his newspaper, claimed to be in possession of McAlister’s entire email box. That prompted the town to file a claim with its insurance company, Virginia Risk Sharing Association.
VRSA hired the Beazley cyber services company and the McDonald Hopkins law firm to conduct a forensics investigation using Bohince’s copy of the flash drive. The firms found that the 9.1-gigabyte flash drive includes 1,800 pieces of information at risk.
On Oct. 17 this year, McDonald Hopkins sent letters out to individuals affected by the breach. Those include people who had been charged with or been victims of various crimes, people who have filed police reports and regional law enforcement officers. They include people living not only in Purcellville and Loudoun, but also in localities across the nation.
Mekarski said that while in most cases, the information pertained to reports filed by McAlister’s department, some of it includes Homeland Security terrorism alerts and communications between McAlister and Attorney General Mark Herring’s office and the FBI. He pointed out that the town has determined that no security-related incidents resulted from the breach.
The letters from McDonald Hopkins were sent using the town’s letterhead, but included the firm’s address and phone number, rather than the town’s.That sparked concern among many of the recipients, as they were unsure about the authenticity of the letters. Although the firm reviewed the letters with the town staff before sending them, the staff did not inform the Town Council that the letters were going out.
Upon hearing the concern, Vice Mayor Tip Stinnette called the emergency meeting Saturday to allow the town staff to bring the council up to speed.
“It’s better to put everybody into one room and answer some questions,” he said. “There’s a lot of disinformation out there.”
Mekarski said he could have done a better job giving advanced notice to the Town Council. “Our job as custodian of their personal information was to ensure that the abhorrent behavior that inflicted the town administration would not victimize other innocent individuals,” he wrote in an email to council members prior to Saturday’s meeting.
Mekarski said the town is now focused on risk mitigation and ensuring that people respond to the letters and have the chance to take the insurance company up on the opportunity to enroll in a free identity theft protection program.
Stinnette said the Town Council might discuss the situation further at its meeting this Tuesday night, Nov. 12.