SALEM — Gov. Kate Brown announced Thursday she will hire an independent expert to review management practices and vulnerabilities at the state data center, after hackers gained access to information at the center last week.
Brown also directed state Chief Information Officer Alex Pettit to take charge of daily operations at the center “for the foreseeable future.”
The data breach occurred at a time when two top managers at the data center — Michael Rodgers, the acting director of the data center, and Technical Engineering Manager Marshall Wells — are on paid administrative leave pending a human resources investigation. The two men have been on leave since February and remained on leave Thursday, according to a DAS spokeswoman.
Auditors from the Secretary of State’s office were already conducting a routine review of security at the data center when the breach occurred. They had identified vulnerabilities at the data center in a 2010 audit, but a March 2012 follow-up audit mostly gave the data center good marks for security.
Brown revealed the data breach in a press release Thursday, and said she plans to ask leaders in the Legislature for money to pay for the review.
The governor said an “unknown external entity” had accessed limited information at the data center. Chris Pair, a spokesman for Brown, described it as information about the location of data on state computer servers, but not the actual data. State employees notified the governor of the breach on March 20, and Pair said it occurred a few days before that.
It was the third high-profile data breach to occur at a state agency in the last 13 months. Hackers accessed the Secretary of State’s business registry and campaign finance databases in February, and the Oregon Employment Department revealed a similar breach in October.
The state data center, which is housed at the Department of Administrative Services, also came under scrutiny in February when a staffer for then-Gov. John Kitzhaber asked employees at the center to delete emails from Kitzhaber’s personal account that were stored on state computer servers. Employees ultimately refused to delete the emails, and the U.S. Department of Justice has since subpoenaed the emails and other state records for an investigation into Kitzhaber and his fiancee, former first lady Cylvia Hayes.
The Willamette Week newspaper reported on the deletion request, and emails from Kitzhaber’s personal account were apparently leaked to the newspaper. Michael Jordan, who was director of the Department of Administrative Services, asked the Oregon State Police to investigate the leak.
Kitzhaber resigned Feb. 18 amid two criminal investigations into allegations he and Hayes used their public positions to benefit Hayes’ consulting business. Jordan submitted his resignation to Brown March 5 without explanation.
Before Jordan resigned, he told The Oregonian that Rodgers and Wells were placed on leave during an internal investigation into a dispute over how to handle computers and phones used by the Kitzhaber administration.
“Oregonians should not have to worry that their personal information such as social security numbers, home addresses or health records held by state agencies could be accessed illegally,” Brown said in a press release Thursday. “Although I have been assured that no personally identifying information was compromised, this incident causes me to have serious concerns about the integrity of state data.”
Brown said the state will use an “expedited competitive process” to hire the independent expert to review management and vulnerabilities at the data center.
Ironically, the governor’s office revealed the data breach the same day Attorney General Ellen Rosenblum appeared before a legislative committee to testify in favor of a bill that would expand protections for consumers’ personal data. The bill would also allow the state Department of Justice to pursue civil penalties against individuals and organizations that fail to comply.
The Capital Bureau is a collaboration between EO Media Group and Pamplin Media Group.