Ex-Sheriff: Mesa County Website Breach Could Endanger People

Confidential Law Enforcement Records Accidentally Posted On Website For Months

Police informants’ names and home addresses of sheriff’s deputies are among a mountain of confidential information accidentally posted on Mesa County’s public website for seven months, authorities said.

Now Sheriff Stan Hilkey and top county administrators are scrambling to notify as many as 200,000 people whose names appear in the Sheriff’s Office records management system that their information could have been compromised, the Grand Junction Daily Sentinel reported Friday.

Officials said they don’t know how many people’s files were publicized in the breach of more than 20 years of personal and investigative law enforcement records.

“My flush reaction is it’s obviously a cyber disaster,” former Sheriff Riecke Claussen told the Sentinel. “I think that, obviously with the type of information that the sheriff’s office deals with, that security of information is of top concern.”

Claussen, who worked for the sheriff’s office for 32 years, said the release of private information “could be a life-threatening situation for people who have been involved in law-enforcement investigations” and called the potential compromise of criminal investigations “frightening.”

The files posted on the website featured included names of confidential informants, e-mails about crime victims and homicide investigations, the newspaper said. They also included personal details about sheriff’s employees: home addresses, names of employees’ spouses and children and schools the children attend.

Comprised information could include records from the Fruita Police Department since 2002 and the Palisade Police Department since 2007, because those agencies have used the sheriff’ record-management system on a limited basis during those years, county officials said.

In a Friday statement titled “Protect Yourself (Data Breach Update),” county officials said, "Anyone concerned about their information possibly having been compromised should ask the credit bureau to set up a fraud alert on their account."

“While many people may not be in the database that was exposed, we think it’s better to be proactive,” said Acting Mesa County Administrator Stefani Conley. “We urge anyone who thinks there’s a chance that their personal information might be involved to take action.”

“This is a good first step toward preventing identity theft, which occurs regularly,” Hilkey added. “It’s one phone call. It’s always a good idea to take the time to protect yourself.”

Hilkey said his agency has notified confidential informants about what happened.

Authorities told the Sentinel an employee in the county’s Information Technology Department in April accidentally loaded the files onto what he believed was an encrypted county server. The employee was working on a project integrating computer databases between Grand Valley law-enforcement agencies.

Instead, the information was posted on the county’s public website, the newspaper said. Authorities later learned someone outside the county first accessed data on the website Oct. 30. The site wasn’t taken down until Nov. 24, when an individual found their name mentioned in the files while searching the Internet and notified authorities.

The longtime information technology employee, whom the sheriff’s officials wouldn’t name, no longer works for the county, the Sentinel said.

Hilkey said the data was accessed multiple times from local, national and international computers, the newspaper said. But authorities are struggling to assess the magnitude of the break, including exactly how many people have obtained the information and how much of it remains online.