Purcellville Town Council holds emergency session on Saturday regarding data breach

From left, Purcellville Town Council members Tip Stinnette, Ted Greenly, Nedim Ogelman, Joel Grewe and Chris Bledsoe discuss the Purcellville government data breach during an emergency Town Council session Nov. 9.

Updated story following the Nov. 12 council meeting:

The data breach is part of the ongoing fallout from the town's investigation into Purcellville Police Chief Cynthia McAlister led by former interim town manager Alex Vanegas and Georgia Nuckolls, the human resources consultant who was hired to lead the investigation. The investigation -- which led to McAlister's firing and eventual re-hiring -- was found to be entirely without merit.

At Saturday's session, Town Manager David Mekarski told council members the events leading to the data breach were triggered beginning in October 2017, when the town's IT director, Shannon Bohince, provided a memory stick with a database from Chief McAlister's computer to Vanegas.

Vanegas was told by Bohince that the stick contained highly confidential information and could not be removed from the town's premises.

Mekarski said the memory stick has never been recovered from either Vanegas or Nuckolls.

According to town officials, the breach was discovered after the independent law firm Wilson Elser released its report that debunked the McAlister investigation in April 2018. The town then contracted with two firms, Beasley and McDonald Hopkins, who were paid by the town's insurance with the Virginia Risk Sharing Association, to conduct a forensic investigation of the mirrored copy of the memory stick, a copy of which was kept by Bohince.

The stick contained 9.1 gigabytes of information, or tens of thousands of pieces of correspondence.

Through data mining, correspondence containing personal identifiers such as Social Security numbers, license numbers, birth dates, medical information, credit card numbers or bank numbers were tagged for further investigation. Following this process, all suspected pieces of correspondence were screened by a panel of people to determine their risk of liability.

Following the screening process, 1,800 pieces of correspondence were determined to be of sufficient risk to warrant notifying the recipient and offering proactive mitigative action. The parties affected were from across the region and multiple states, Mekarski said.

People who were tagged ranged from those charged with various crimes to victims of crimes or citizens filing police reports. Members of regional law enforcement were also notified due to personal identifiers.

The contractors sent out the letters on town letterhead, but with the contractors' contact information in Harrisburg, Pennsylvania, which caused many people to question the legitimacy of the letter.

Mekarski said Town Council was not notified about the letter before it was sent out.

“The intent of this program was to take an aggressive proactive measure to protect our citizenry and those individuals that had conducted business with the town of Purcellville either voluntarily or involuntarily, from the possibility of identity theft. While we had no evidence of any specific breach with this group of 1,800 individuals, our job as custodian of their personal information was to ensure that the aberrant behavior that inflicted the town administration would not victimize other innocent individuals,” Mekarski said.

On Saturday afternoon, Vice Mayor Tip Stinnette started out the meeting by apologizing for the method in which the letters were rolled out without advance notice to the public.

“We collectively could have and should have done a better job in rolling this information out to the community -- for that I apologize,” Stinnette said.

Council members had questions surrounding the letter and the data breach – many of which have not been answered. They compiled a list of about 20 questions for Mekarski to address.

Councilman Joel Grewe asked what the options were for recovery of the missing thumb drive and what costs could be associated with recovery.

“Does this breach qualify as a criminal act, and what are the options for that? Why did it take the amount of time it did for the letter to come out?” Grewe said.

Mayor Kwasi Fraser and Councilman Ryan Cool were absent from the weekend meeting.

Purcellville Police Chief Cynthia McAlister, Town Attorney Sally Hankins, Director of Administration Hooper McCann and Bohince were present at the meeting, and Mekarski joined by phone.

In a phone interview with the Loudoun Times-Mirror on Tuesday, Mayor Fraser said he received an email from former Loudoun Tribune publisher and political operative Brian Reynolds on Nov. 28, 2017. The email indicated that Reynolds had in his possession "the full investigation report on McAlister, the polygraph report on Fraley, McAlister's emails (all of them) as well as copies of the investigative interviews from McAlister (5 hours long) to Dufek, Dinkins and more.” Fraser said he handed over this email along with several others from Reynolds to the firm Wilson Elser, which the town voted to hire to conduct a second investigation on Dec. 7, 2017.

In June, Reynolds pleaded guilty in federal court to one count of wire fraud in a bid to secure funding for his publication and one count of possession of a firearm by a felon. Those charges were not in relation to the Purcellville incident. Reynolds is also a convicted felon from the 1990s and lied to the FBI in 2017 about owning guns. According to the indictment, he illegally owned at least eight guns and five boxes of ammunition. More than 20 years ago, Reynolds was sentenced to more than six years in federal prison for wire fraud and forgery charges.

“I did not know about Reynolds' criminal record, and he was introduced to me as the publisher of the Loudoun Tribune. I did not have a relationship with Reynolds,” Fraser said.

At a staff meeting with town employees on Dec. 7, 2017, the issue of credit monitoring was discussed. Fraser said no agreement was made at that time to offer credit monitoring to employees because it was not clear if anyone was compromised.

Fraser also indicated that he was unaware that VML had hired someone to do another investigation into the possible data security breach issue.

“It caught me by surprise. I thought they took care of this in the [Wilson Elser] investigation,” Fraser said.

Fraser was not ready to make a statement as to whether criminal charges should be filed against Nuckolls or Vanegas. “We will see what the town can and cannot pursue. I'm going to wait to see what the experts say,” he said.

At Tuesday night's council meeting, Vice Mayor Stinnette and Mekarski reviewed the updated information they received since the weekend meeting.

Mekarski said the contractor is keeping a tally of calls received by individuals who received the letter. To date, they have received 44 calls.

He said out of the 1,800 letters sent out, 25 were from the Purcellville ZIP code.

In addition, he said 1,740 personal identifiers were attributed to a single entity, which he was not able to yet name.

The Times-Mirror has learned that letters were received by retired and active members of the Fairfax County Police Department. Department spokeswoman Lisa Connors confirmed they are conducting an internal investigation into the matter.

________

Original report: Nov. 11, 12:30 p.m.

Purcellville Town Council held an emergency session Saturday afternoon to discuss letters that were recently received by about 1,800 people informing them of a data security breach in the Town of Purcellville.

The data breach is part of the ongoing fallout from the town's investigation into Purcellville Police Chief Cynthia McAlister led by former interim town manager Alex Vanegas and Georgia Nuckolls, the human resources consultant who was hired to lead the investigation. The investigation -- which led to McAlister's firing and eventual re-hiring -- was found to be entirely without merit.

At Saturday's session, Town Manager David Mekarski told council members the events leading to the data breach were triggered beginning in October 2017, when the town's IT director, Shannon Bohince, provided a memory stick with a database of all of Chief McAlister's emails to Vanegas.

Vanegas was told by Bohince that the stick contained highly confidential information and could not be removed from the town's premises.

Mekarski said the memory stick has never been recovered from either Vanegas or Nuckolls. 

According to town officials, the breach was discovered after the independent law firm Wilson Elser released its report that debunked the McAlister investigation in April 2018. The town then contracted with two firms, Beasley and McDonald Hopkins, who were paid by the town's insurance with the Virginia Risk Sharing Association, to conduct a forensic investigation of the mirrored copy of the memory stick, a copy of which was kept by Bohince.

The stick contained 9.1 gigabytes of information, or tens of thousands of pieces of correspondence.

Through data mining, correspondence containing personal identifiers such as Social Security numbers, license numbers, birth dates, medical information, credit card numbers or bank numbers were tagged for further investigation. Following this process, all suspected pieces of correspondence were screened by a panel of people to determine their risk of liability.

Following the screening process, 1,800 pieces of correspondence were determined to be of sufficient risk to warrant notifying the recipient and offering proactive mitigative action. The parties affected were from across the region and multiple states, Mekarski said.

People who were tagged ranged from those charged with various crimes to victims of crimes or citizens filing police reports. Members of regional law enforcement were also notified due to personal identifiers.

The contractors sent out the letters on town letterhead, but with the contractors' contact information in Harrisburg, Pennsylvania, which caused many people to question the legitimacy of the letter.

Mekarski said Town Council was not notified about the letter before it was sent out.

“The intent of this program was to take an aggressive proactive measure to protect our citizenry and those individuals that had conducted business with the town of Purcellville either voluntarily or involuntarily, from the possibility of identity theft. While we had no evidence of any specific breach with this group of 1,800 individuals, our job as custodian of their personal information was to ensure that the aberrant behavior that inflicted the town administration would not victimize other innocent individuals,” Mekarski said.

On Saturday afternoon, Vice Mayor Tip Stinnette started out the meeting by apologizing for the method in which the letters were rolled out without advance notice to the public.

“We collectively could have and should have done a better job in rolling this information out to the community -- for that I apologize,” Stinnette said.

Council members had questions surrounding the letter and the data breach – many of which have not been answered.

Councilman Joel Grewe asked what the options were for recovery of the missing thumb drive and what costs could be associated with recovery.

“Does this breach qualify as a criminal act, and what are the options for that? Why did it take the amount of time it did for the letter to come out?” Grewe said.

Mayor Kwasi Fraser and Councilman Ryan Cool were absent from the weekend meeting.

Purcellville Police Chief Cynthia McAlister, Town Attorney Sally Hankins, Director of Administration Hooper McCann and Bohince were present at the meeting, and Mekarski joined by phone.

Town Council is expected to discuss the issue at Tuesday night's meeting, Stinnette said.

(10) comments

Representing the Mambo

The HR consultant that was hired (multiple felony convictions for fraud) apparently shared much of this classified information with her friend/former employer, Brian Reynolds (himself a convicted felon-fraud) which in turn was referenced in several articles in the now defunct Loudoun Tribune. There is also a hate blog on facebook -"Citizens hate LTM and Trevor Barko" that has posted all kinds of classified information in an effort to defame, humiliate, and disparage those who opposed this kind of behavior or supported Chief McCallister. During the investigation, emails surfaced referencing Sheriff Mike Chapman's involvement in this mess. The disgraced HR person and Brian Reynolds are good friends and big supporters of Chapman. If I'm correct, the FBI will have completed a forensic analysis of the hard drives/servers they seized in their investigation and people will soon be getting locked up. Anyone up for a special election?

Locojrt

How does this ongoing fiasco surprise anyone!

IQuilt

Va SGP... The Mayor new of this breech in Dec of 2017 according to the Loudoun Times. So how is this related to those who are suing the Town? This breech was known long before the Phase 1 & 2 Reports were released, the Chief of Police was re-hired and long before any suits were filed. Why not take issue that the Mayor did nothing when he was told by Brian Reynolds I have all the emails, the investigation report, etc.,? Did the Mayor notify the rest of the Town Council? Did the Mayor notify the Town HR Director? Did the notify the Town Attorney? Just what did the Mayor do when he learned of the breech? Why not hold those in power accountable? Why blame those that had nothing to do with the breech? And, if you read the lawsuits there was nothing in the lawsuits about a data breech. So, how is this posturing if they are not suing for the data breech?

Chris McHale

Is this Season 5, Episode 4 of the comedy show "Purceville "?

peregrine56

So the IT Director, who's primary accountability is protection of data, actually copied sensitive data on to a "memory stick". But oh wait, it must stay here! Never heard of a secure password protected network drive huh? If she were in the private sector, she would be long gone. This is IT malpractice. Also, I can assure you the unwitting folks caught up in this nonsense do not consider it "posturing". Especially law enforcement officers.

Virginia SGP

This is posturing by those in the lawsuit trying to run up the damage claims. The town of Purcelleville should be de-incorporated.

IQuilt

Va SGP... The Mayor new of this breech in Dec of 2017 according to the Loudoun Times. So how is this related to those who are suing the Town?

This breech was known long before the Phase 1 & 2 Reports were released, the Chief of Police was re-hired and long before any suits were filed.

Why not take issue that the Mayor did nothing when he was told by Brian Reynolds I have all the emails, the investigation report, etc.,? Did the Mayor notify the rest of the Town Council? Did the Mayor notify the Town HR Director? Did the notify the Town Attorney? Just what did the Mayor do when he learned of the breech?

Why not hold those in power accountable? Why blame those that had nothing to do with the breech?

And, if you read the lawsuits there was nothing in the lawsuits about a data breech.

So, how is this posturing if they are not suing for the data breech?

IQuilt

IQuilt

Va SGP... The Mayor new of this breech in Dec of 2017 according to the Loudoun Times. So how is this related to those who are suing the Town? This breech was known long before the Phase 1 & 2 Reports were released, the Chief of Police was re-hired and long before any suits were filed. Why not take issue that the Mayor did nothing when he was told by Brian Reynolds I have all the emails, the investigation report, etc.,? Did the Mayor notify the rest of the Town Council? Did the Mayor notify the Town HR Director? Did the notify the Town Attorney? Just what did the Mayor do when he learned of the breech? Why not hold those in power accountable? Why blame those that had nothing to do with the breech? And, if you read the lawsuits there was nothing in the lawsuits about a data breech. So, how is this posturing if they are not suing for the data breech?

IIfx

De-incorporation might be a path residents would be looking at if problems build up into the future. This would be a ballot box issue, with its own benefits and drawbacks. Benefits could be lower costs by sharing costs with the overall county (i.e merging water operation into Loudoun Water, recreational facilities into PRCS, merging Police into Sheriffs Dpt), obtaining more county benefits (i.e County FiOS franchise, elimination of local food tax, reduction in property tax, reduction in auto tax). Drawbacks would be loss of local control, loss of resistance to developers at the local level due to BoS having too few seats for hyper-local representation, etc. Debate for this would be extremely passionate on both sides.

Hopefully things get better soon.

RandomName2019

The most responsible thing that Purcellville could do for its residents would be to un-incorporate. With the growing utility issues and costs, mounting lawsuits, limited growth opportunities, and overall management issues, it doesn't make sense to continue taxing residents for duplicate services that could be better provided by the County.

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.