Personal info on drug informants, suspects, others exposed in Colo.

Sheriff's office accidentally posts names, contact info, Social Security numbers on 200,000 people

Potentially more than 200,000 files from the Mesa County Sheriff’s Office of Colorado, including sensitive data such as names, Social Security numbers and contact information on drug informants, employees, suspects and victims in criminal investigations, were publicly available on the Internet from April to November this year. Information on people who had been served with civil papers, had spent time in the county jail or had applied for a concealed weapons permit also was exposed.

The situation came to light and the information removed only when an individual notified the office after seeing his personal information pop up in a Google search Nov. 24, Mesa County Sheriff Stan Hilkey said in an article by Paul Shockley of the Grand Junction Daily Sentinel.

The records, which span 20 years, could pose a significant threat to individuals’ personal safety, Hilkey told the Associated Press.

"That in itself is probably the biggest concern we have," he said.

Data from the site was accessed multiple times from both national and international locations, specifically Europe, starting Oct. 30 and continuing for 25 days, Hilkey said in the Sentinel article. Hilkey surmised that the information access began after a Google Web crawler found the server, the AP reported.

The department is still trying to determine the scope of the breach and is working with Google and other Internet search engines to remove any data on their sites, and working with the FBI to track down computer users who may have downloaded the information.

Even so, there remains the possibility that the information was printed, downloaded or posted elsewhere on the Internet.

"The truth is, once it's been out there and on the Internet and copied, you're never going to regain total control," Hilkey told AP.

The IT worker at the department who mistakenly posted the information is no longer with the county, interim Mesa County Administrator Stefani Conley said in Shockley’s article.

The employee, who was working to integrate databases among Grand Valley law enforcement agencies, thought he had posted the files to a password-protected encrypted File Transfer Protocol website.

The database is used to collect and share information among local police departments, including the Fruita and Palisade police departments, and possibly information from the Drug Enforcement Administration and Grand Junction police. However, Conley said, there is no indication that internal data from other county departments was exposed.

Meanwhile, the county has instituted new policies designed to ensure that sensitive data isn’t posted on a unsecured site, Shockley reported.

About the Author

Kathleen Hickey is a freelance writer for GCN.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group