Purcellville Urges Data Breach Victims to Call In; Resident Calls for Criminal Investigation

As the Town of Purcellville urges nearly 2,000 people affected by a year-and-a-half old data breach to call in and learn more about their situations, some are calling for more than just information—they’re calling for a criminal investigation.

For a second time, the Purcellville Town Council on Tuesday night discussed a data breach, caused by the unauthorized removal of a flash drive from town property, that has affected 1,800 people across the country, 25 of whom reside in the Purcellville-area 20132 ZIP code. Town Manager David Mekarski encouraged all of those individuals to call the number on the letters that the town’s consultant, the McDonald Hopkins law firm, sent out last month. He said that so far, only 44 people have done so. “We really need the activism of those who received the letter to work with our contractor,” he said.

Of the 1,800 individuals affected, McDonald Hopkins found that 1,740 were part of a single organization. Mekarski was expected to make the first contact with that organization on Wednesday. He said that in doing so, the discussion would help the town better understand the breach at its core.

In urging the remaining 1,756 affected individuals to call McDonald Hopkins, Mekarski said the law firm would provide the town with information on which types of personal information has been compromised for each person—whether that’s social security numbers, driver’s license numbers, credit card numbers, bank records or other sensitive information.

Some victims want more than an alert about the risk of identity theft, they want a criminal investigation.

One of those is Andrew Sanderson, who asked the council to order law enforcement to initiate a criminal investigation into the removal of the flash drive. Sanderson said a Virginia identity theft law had been broken, since the flash drive landed in the hands of third parties “without the authorization or permission of the person or persons who are the subjects of the identifying information.”

“Since my identity is out there … that’s a violation of law,” he said.

Vice Mayor Tip Stinnette said the council is working to figure out if a criminal investigation is warranted. Mekarski said that town has tried to gain the attention of the FBI, the Virginia State Police and the Attorney General’s Office, but to no avail. Town Attorney Sally Hankins said the town had already met with outside agencies on three occasions and that “they have not found anything sufficient for us to pursue.”

The breach dates back to events more than two years ago. In October 2017, then interim Town Manager Alex Vanegas initiated an investigation into now-discredited allegations of misconduct by Police Chief Cynthia McAlister. In doing so, he directed IT Director Shannon Bohince to provide him with a flash drive containing McAlister’s entire email box, which Vanegas then allegedly handed to Georgia Nuckolls, the HR consultant he hired to help with the investigation. Bohince told Vanegas to not remove the flash drive from the town hall.

Three weeks after the investigation concluded, which resulted in McAlister’s firing, the town placed Vanegas on leave upon finding that he mismanaged the investigation and was involved in an inappropriate relationship with Nuckolls.Vanegas was later fired and McAlister was reinstated.

In April 2018, Brian Reynolds, the publisher of the Loudoun Tribune—the newspaper where Nuckolls formerly worked as an HR Director/Business Manager—claimed to be in possession of McAlister’s email box. The town staff realized that it had lost track of the 9.1-gigabyte flash drive, which contained thousands of pieces of personal information, and filed an insurance claim with Virginia Risk Sharing Association. VRSA then hired McDonald Hopkins and the Beazley cyber services firm to conduct a forensics investigation into the breach using a copied flash drive that Bohince made when creating Vanegas’ copy.

On Oct. 17, the law firm worked with the town staff and sent letters to 1,800 individuals across the nation notifying them that their personal information had been compromised to some degree. The firm sent those letters on town stationary, but it included its own Harrisburg, PA address and phone number and led many recipients to believe the letters were inauthentic.

The town staff, however, did not inform the Town Council that the letters were being sent out, which led Stinnette to call a Nov. 9 emergency meeting to sort matters out.

Mekarski on Tuesday took the blame for neglecting to inform the council about the letters. “It is clearly on my shoulders for not providing advanced notice of the letter going out to the community to the council,” he said.

Moving forward, Stinnette said the town would put out an updated press release on the breach, obtain McDonald Hopkins’ investigation analysis and create an FAQ page on the town website to answer the various questions that have been asked.

Hankins said it would be important for the town to let McDonald Hopkins do the talking, though. Councilman Nedim Ogelman agreed, but noted that the town had an obligation to share any public information that the firm furnishes.

“If our consultants, if those experts, have something to say, I think we owe it to our community to provide that,” he said. “The town … and its body of support … has been doing everything it can in due diligence and in abundance of caution and will continue to do so.”


2 thoughts on “Purcellville Urges Data Breach Victims to Call In; Resident Calls for Criminal Investigation

  • 2019-11-16 at 2:13 pm

    There is an article out this morning with accurate, specific and verified information regarding this breach originated from a former Fairfax police officer who Purcellville had hired.
    “However, a deeper look at the origins of the breach indicate that a police officer who was hired by the Town of Purcellville completed an expense report for the Town of Purcellville – using an expense report document form from the Fairfax County Police Department as he was previously employed there. It is unclear how the Fairfax County Police Department expense report form was obtained by the police officer…Unknown to the officer, this document contained a seal – not visible to the eye – with a hidden link to the personal data of 1,740 Fairfax County employees. In submitting this expense report to the Chief of Police, the officer unknowingly transmitted via email hidden personal data from Fairfax County employees.”
    So, It seems that Purcellville did not cause this breach, nor was it targeting PVL residents, yet PVL town manager, (who had recently applied for a position in a different town in a different state) and town staff proceeded WITHOUT due diligence or consulting the Town Council of the incident and proceeded to alert all who might possibly have been affected by a possible breach, all in a few days’ time. Loudoun Now had the entire story before the Town of PVL was even alerted or had the information.
    I concur wholeheartedly with a criminal investigation, but it needs to be backed up to the BEGINNING of this whole mess. When was this data collected onto a thumb drive? Who put it on the drive? Who were ALL the persons in the ‘chain of custody’ of this drive? WHO is the former Fairfax officer? What part does this officer play in the investigation from which the drive went missing? What happened to prosecuting ALL the infractions or unlawful actions that occurred which BEGAN this whole dumpster fire, but were set aside, possibly in an effort to ‘end’ the whole screwed up investigation which was caused by a former Town employee having an affair with the investigator? The investigation turned up all sorts of inappropriate or illegal actions that were dropped due to the affair which tainted all the information. Do it again. Will the new and uninterested Town Manager and the Town staff, who has been here for DECADES, acting independently of the town Council and Mayor, in blatant disregard for proper procedure answer for their actions? The Town is supposed to answer to the residents, not go off on their own vendettas or agendas using their positions to their personal advantage.
    Purcellville, Step Up and Stop Ducking your head, standing in a corner when this keeps happening. Dig into it, expose it all, prosecute who and when needed, and then CLEAN HOUSE. It’s seems it’s open season to sue the Town since nearly all the bad players are still here.

    • 2019-11-22 at 12:22 pm

      “… using an expense report document form from the Fairfax County Police Department as he was previously employed there”

      So we know it is a male and that person previously worked at FCPD – sort of narrows it down. How was this information obtained?

      “Unknown to the officer, this document contained a seal – not visible to the eye – with a hidden link to the personal data of 1,740 Fairfax County employees.”

      A document containing an embedded “seal” can only be transmitted electronically. Either the police officer brought an digital copy from FCPD or it was provided to him by someone in the PPD who had access to a copy. Any such embedded link would reference a web page or document that contained personal data. Why wasn’t this information password protected?

Leave a Reply

%d bloggers like this: