As the Town of Purcellville urges nearly 2,000 people affected by a year-and-a-half old data breach to call in and learn more about their situations, some are calling for more than just information—they’re calling for a criminal investigation.
For a second time, the Purcellville Town Council on Tuesday night discussed a data breach, caused by the unauthorized removal of a flash drive from town property, that has affected 1,800 people across the country, 25 of whom reside in the Purcellville-area 20132 ZIP code. Town Manager David Mekarski encouraged all of those individuals to call the number on the letters that the town’s consultant, the McDonald Hopkins law firm, sent out last month. He said that so far, only 44 people have done so. “We really need the activism of those who received the letter to work with our contractor,” he said.
Of the 1,800 individuals affected, McDonald Hopkins found that 1,740 were part of a single organization. Mekarski was expected to make the first contact with that organization on Wednesday. He said that in doing so, the discussion would help the town better understand the breach at its core.
In urging the remaining 1,756 affected individuals to call McDonald Hopkins, Mekarski said the law firm would provide the town with information on which types of personal information has been compromised for each person—whether that’s social security numbers, driver’s license numbers, credit card numbers, bank records or other sensitive information.
Some victims want more than an alert about the risk of identity theft, they want a criminal investigation.
One of those is Andrew Sanderson, who asked the council to order law enforcement to initiate a criminal investigation into the removal of the flash drive. Sanderson said a Virginia identity theft law had been broken, since the flash drive landed in the hands of third parties “without the authorization or permission of the person or persons who are the subjects of the identifying information.”
“Since my identity is out there … that’s a violation of law,” he said.
Vice Mayor Tip Stinnette said the council is working to figure out if a criminal investigation is warranted. Mekarski said that town has tried to gain the attention of the FBI, the Virginia State Police and the Attorney General’s Office, but to no avail. Town Attorney Sally Hankins said the town had already met with outside agencies on three occasions and that “they have not found anything sufficient for us to pursue.”
The breach dates back to events more than two years ago. In October 2017, then interim Town Manager Alex Vanegas initiated an investigation into now-discredited allegations of misconduct by Police Chief Cynthia McAlister. In doing so, he directed IT Director Shannon Bohince to provide him with a flash drive containing McAlister’s entire email box, which Vanegas then allegedly handed to Georgia Nuckolls, the HR consultant he hired to help with the investigation. Bohince told Vanegas to not remove the flash drive from the town hall.
Three weeks after the investigation concluded, which resulted in McAlister’s firing, the town placed Vanegas on leave upon finding that he mismanaged the investigation and was involved in an inappropriate relationship with Nuckolls.Vanegas was later fired and McAlister was reinstated.
In April 2018, Brian Reynolds, the publisher of the Loudoun Tribune—the newspaper where Nuckolls formerly worked as an HR Director/Business Manager—claimed to be in possession of McAlister’s email box. The town staff realized that it had lost track of the 9.1-gigabyte flash drive, which contained thousands of pieces of personal information, and filed an insurance claim with Virginia Risk Sharing Association. VRSA then hired McDonald Hopkins and the Beazley cyber services firm to conduct a forensics investigation into the breach using a copied flash drive that Bohince made when creating Vanegas’ copy.
On Oct. 17, the law firm worked with the town staff and sent letters to 1,800 individuals across the nation notifying them that their personal information had been compromised to some degree. The firm sent those letters on town stationary, but it included its own Harrisburg, PA address and phone number and led many recipients to believe the letters were inauthentic.
The town staff, however, did not inform the Town Council that the letters were being sent out, which led Stinnette to call a Nov. 9 emergency meeting to sort matters out.
Mekarski on Tuesday took the blame for neglecting to inform the council about the letters. “It is clearly on my shoulders for not providing advanced notice of the letter going out to the community to the council,” he said.
Moving forward, Stinnette said the town would put out an updated press release on the breach, obtain McDonald Hopkins’ investigation analysis and create an FAQ page on the town website to answer the various questions that have been asked.
Hankins said it would be important for the town to let McDonald Hopkins do the talking, though. Councilman Nedim Ogelman agreed, but noted that the town had an obligation to share any public information that the firm furnishes.
“If our consultants, if those experts, have something to say, I think we owe it to our community to provide that,” he said. “The town … and its body of support … has been doing everything it can in due diligence and in abundance of caution and will continue to do so.”