December 13, 2010
Colorado database leak puts informants in jeopardy
DENVER (AP) — A Colorado sheriff's online database mistakenly revealed the identities of confidential drug informants and listed phone numbers, addresses and Social Security numbers of suspects, victims and others interviewed during criminal investigations, authorities said.
The breach potentially affects some 200,000 people, and Mesa County sheriff's deputies have been sifting through the database to determine who, if anyone, is in jeopardy.
"That in itself is probably the biggest concern we have, because we're talking about people's personal safety," Sheriff Stan Hilkey said.
The FBI and Google (News - Alert) Inc. are trying to determine who accessed the database, the sheriff said. Their concern: That someone may have copied it and could post it, WikiLeaks–style, on the Internet.
"The truth is, once it's been out there and on the Internet and copied, you're never going to regain total control," Hilkey said.
Thousands of pages of confidential information were vulnerable from April until Nov. 24, when someone notified authorities after finding their name on the Internet. Officials said the database was accessed from within the United States, as well as outside the country, before it was removed from the server.
The information was so stunning that Jay Seaton, publisher of the Grand Junction Daily Sentinel, thought it was obtained illegally.
A source provided the western Colorado newspaper with a computer disk shortly after Thanksgiving. The paper first published details of the leak — but not its contents.
"We got that disk returned to the proper authorities," he said. "As a general rule, I don't mind taking some risks. But in something like this, where you can actually get people killed, I'm out."
The disk's contents were legally gleaned from a sheriff's department database. In April, a Mesa County information technology employee moved the database into what the employee believed was a secure server, county spokeswoman Jessica Peterson said.
The information sat there as a large text file. It was first accessed by an outside computer on Oct. 30. Other computers accessed the information over the next 25 days.
Hilkey declined to provide other details. But he surmised that a Google Web crawler that can be programed to troll the Internet for specific sets of information, such as nine–digit numbers that can be Social Security numbers, found the server.
"Somebody who sets up that kind of Web crawler to search for that kind of information probably doesn't have good intentions," the sheriff said.
The employee who transferred the files no longer works for the county. Peterson declined to say whether the file transfer led to the employee's departure. A Google spokesperson didn't immediately return calls for comment.
Deputies have used the database since 1989 to collect and share intelligence gathered during the course of police work. It contains 200,000 names — Mesa County's population is about 150,000 — and includes investigative files from a local drug task force.
The information included data about Mesa County employees, information from the nearby Fruita and Palisade police departments — and possibly information from the U.S. Drug Enforcement Administration and Grand Junction police.
DEA spokesman Mike Turner and Grand Junction police spokeswoman Kate Porras insisted their agencies' information wasn't compromised because they use their own computer systems. But both agencies work with the Mesa County sheriff's drug task force, whose files were in the database.
FBI spokesman Dave Joly confirmed agents in Denver were assisting in the investigation. He declined to elaborate.