Last year, Bernalillo County was hacked. Will removing employee names online prevent future attacks?

Alaina Mencinger , Albuquerque Journal, N.M.
·5 min read

Aug. 11—Just another nameless bureaucrat.

Such could be the future for Bernalillo County employees — at least on the county's transparency portal.

In an attempt to wipe identifying information that could aid and abet phishing operations, a proposal to remove employee names and contracts from the Bernalillo County transparency portal is headed for 30 days of public discussion. The portal, established in 2011, is a central location for public documents such as building permits, employee salaries and audits.

The proposed ordinance, which was raised at a County Commission meeting Tuesday night, comes a year after a massive ransomware attack wreaked havoc on county operations. Inmates were locked into Metropolitan Detention Center when video surveillance failed; couples couldn't get marriage licenses; county residents couldn't pay property taxes. It took 19 days for the county to fully get back up and running.

At the Tuesday meeting, Commissioner Walt Benson said that more recently, an employee's name and title were swiped and used in an attempt to change the direct deposit of her checks to a different account.

"There's so much information out there that's not safe," Benson said. "It's unsafe for individuals, it's unsafe for the county as an organization, it's not safe for our taxpayers or constituents."

The proposal would strike employee names from the transparency portal, but keep a list of positions in the county. Some salary and benefits data, as well as the names of employees' supervisors, would be removed from the list as well.

Contracts that could affect the security of the county, Benson said, also wouldn't be posted, but would still be available through public records requests. He said in the next 30 days, language would have to be discussed to clarify what qualifies as a threat.

County Chief Information Officer Robert Benavidez said that hackers can use this information to make their phishing attacks seem more real. For example, he said that data about benefits can indicate how many dependents an employee has. In the January attack, hackers used information from the transparency portal to find information about a user with administrative privileges, which they then leveraged against an older system.

But some commissioners are concerned about government transparency and accountability, and questioned how far the proposal would go.

"A really draconian interpretation of this could be: 'Every contract could compromise the safety and security of the county,'" Commissioner Eric Olivas said. "So I'd like to see some guardrails."

Melanie Majors, executive director of the New Mexico Foundation for Open Government, said the proposal potentially could enable corruption.

Many people, Majors said, don't know how to file a public records request.

"Why do people have to take another step to get information that should be readily available?" Majors asked. "...It's just putting up barriers."

She also questioned if the current staffing could handle a large influx of public records requests. Currently, two employees handle requests for the county. Since January, the county has received more than 3,000 requests. In a typical year, the county receives between 2,500 and 5,000 requests. Benson said he was uncertain if there would be efforts to hire additional employees to handle public records or teach citizens how to request documents. Staffing decisions are made by the county manager.

Lorie Liebrock, director of the New Mexico Cybersecurity Center of Excellence at New Mexico Tech, said the practice of using public information to create phishing and ransomware attacks is called "social engineering." By peppering in details to gain credibility, a person can use public data to believably impersonate someone's boss or a contractor.

Liebrock said the proposed amendments are an example of "security through obscurity" — the idea that, if those details aren't published, they can't be weaponized in phishing attacks. But the tactic isn't enough, Liebrock said, and noted she hasn't seen widespread adoption of the method.

"If you're hiding that information, it's harder to use against you," Liebrock said. "There's some truth in that, (but) it's not great cybersecurity practice from the perspective it's far from sufficient defense."

In the year since the attack, Benavidez said, cybersecurity in the county has improved. Last April, following the attack, the county adopted a new cybersecurity policy, which required a multi-factor authentication process — people signing in need a separate code sent to another device to log in — for certain accounts. County systems are now monitored 24/7 by a security operations center, and all computers on the network have sensors to intervene if suspicious activity is detected.

In the year since the attack, investment in cybersecurity measures has increased by approximately $2.5 million per year, Benavidez said. He added employees are performing better on phishing training. Besides yearly cybersecurity trainings and new employee training, every month employees are fed fake phishing attacks. When they started sending out phishing attacks, about a third of employees fell for them. Now, the number stands around 2%.

But he said it's "just a matter of time," before an employee falls for a phishing attack.

The proposed amendments should return to the Board of County Commissioners on or after Sept. 12. In that time, the proposed ordinance can be amended. The public would have a second opportunity to comment on amendments.

"It's about creating a balance between safety and not infringing on public information," Benson said.