Second report from Platte County auditor cites potential security risks

With the county commission now filing a claim for lost funds against Rob Willard’s public official security bond, the county auditor has issued a new report casting doubts on county data security.

Platte County auditor Kevin Robinson addressed commissioners and the public during the Tuesday, July 5 administrative session with the results of an information systems audit. In this, the second audit released within the last few weeks, Robinson addressed common cyber security issues and the county’s electronic media and internet policies, as well as the level of compliance with those policies in administrative offices. 

The sheriff’s and prosecutor’s offices were not included in the audit. 

“One of the findings was pretty blatant in that over 50 percent of offices had passwords publicly displayed where anyone could use them,” Robinson said.

A total of 123 computers were inventoried and assessed, with 72 of those computers found to have no noticeable concerns. However, 37 computers had unsecured and visible credentials, with three displaying the office employee’s individual credentials. An additional 20 computers had other threats of potential damage or compromise due to unauthorized USB port use, improper unit storage or miscellaneous concerns such as a beverage resting on the computer tower. 

Unauthorized USB port usage included the use of ports to charge personal cell phones. In the sheriff’s and prosecutor’s offices, Robinson said most USB drives were disabled to prevent the use of personal electronics or thumb drives in the systems. 

“Phones are known to have contaminants that can be transferred to computer systems,” Robinson said.

The audit also assessed the vulnerability of computers with point-of-sale functions and internet access. Because of the ready availability of employee credentials and devices plugged into computers, the county only received a “fair” score in the audit with Robinson recommending measures be taken to address concerns. 

Robinson suggested users with access to sensitive data authenticate credentials through a two-step process, which could include biometrics. A biometric system is in use at the prosecutor’s office, he said, and the cost to implement such a system in other departments would not be extreme. 

Other recommendations included updates to the employee media policy guide and limiting internet access on point-of-sale machines. He also suggested periodic phishing tests and annual review of policy.

A test phishing email was sent to 81 randomly selected Platte County employees as part of the audit. 

The email spoofed a county information technology account and asked employees to reset their passwords. A link to reset the password was included, that when clicked notified the employee they had fallen for a phishing scam. After a day, seven employees had opened the email and clicked on the link. Several employees noticed the message and alerted the information services department and several reset their passwords without responding to the email. 

The county received a “good” rating in this test, requiring no further action.

In the report, Robinson reaffirmed the findings of his first audit, which centered around the May 27 incident where treasurer Willard wired $48,220 to a Florida bank account. A series of emails to Willard from an account spoofing presiding commissioner Ron Schieber’s county email account requested the money be immediately wired to pay for a tax consultant.

“The IS audit identified areas for the county to strengthen its processes and practices,” Robinson wrote in the report. “The audit further confirmed the current county IS (information system) procedures would not have prevented the wire transfer from occurring. The county’s electronic media policy defines approved use of county equipment, which is to be used strictly to conduct county business. The wire transfer was perceived by the treasurer as county business and, therefore, does not violate the county’s electronic media and internet policies. 

“Releasing the wire was the sole action of the treasurer.”

The first audit report found that the fraudulent wire transfer was an isolated incident, but that Willard had bypassed county policy to make the transfer.

Since, the county has been working toward recovering the money — $28,000 of which has already been recovered. In June, the commission sent Willard a letter asking he personally refund the money, in addition to legal fees incurred, to the county and its taxpayers. 

Willard declined. 

The commissioners also sent a letter to prosecuting attorney Eric Zahnd, asking for an investigation into the transfer. Zahnd declined and recused himself from the matter because Willard had previously worked in his office prior to his election as treasurer. 

The commission then petitioned presiding judge James Van Amburg to appointment a special prosecuting attorney.

Platte County sheriff Mark Owen contacted the commissioners, notifying them his office would be investigating the situation. The transfer may have violated Missouri statute governing responsibility for county treasurers.

The commissioners cited Missouri State Statute 54.140 for the basis of their request for a criminal investigation. The wording reads, in part, “It shall be (the treasurer’s) duty to pay out the revenues thus subdivided, on warrants issued by order of the commission, on the respective funds so set apart and subdivided, and not otherwise; and for this purpose the treasurer shall keep a separate account with the county commission of each fund which several funds shall be known and designated as provided by law; and no warrant shall be paid out of any fund other than that upon which it has been drawn by order of the commission.”

If found to be in violation, Willard could face a misdemeanor charge with potential punishment of a fine between $100 and $500 and vacation of office.

Other than noting the county had filed a claim against Willard’s public official surety bond, Schieber had no further comment on the situation at the July 5 meeting. 

“We’re just waiting now to hear back on the bond claim,” Schieber said. 

Previously, he said the commission would pursue all available avenues to recover the money.