HAGERSTOWN, MD News (8/22/2023) – For 271 days, Washington County residents have been left without answers as to the impact of the Thanksgiving Day cybersecurity incident in 2022. However, new information has finally come to light. Washington County Government’s response to our Maryland Public Information Act (MPIA) request has inadvertently confirmed the existence of compromised or exfiltrated data in the November 24, 2022 cybersecurity incident. Our request, submitted on July 25, 2023, aimed to unearth crucial information about the incident’s impact on Washington County residents, properties, and businesses.
The heart of our MPIA request centered on obtaining summary records linked to the cybersecurity incident. We sought summary records encompassing both encrypted and unencrypted data, specifically concerning Washington County residents, properties, and businesses.
However, the response from County Attorney Kirk Downey, representing Washington County Government, arrived on August 22, 2023, denying our request under legal pretexts outlined in Maryland code §§ 4-351(a)(1), 4-338, 4-343, and 4-301. While these legal grounds were cited as the basis for denial and were not unexpected based upon previous MPIA requests related to this matter, the response itself inadvertently provided validation for our concerns.
When filing a MPIA request, one of several responses can be expected:
- No records exist
- Complete records provided
- Partial records provided, partial record denial
- Complete record denial
Since the county did not state that no matching records exist, their denial of the request implicitly acknowledges the existence of summary records connected to compromised or exfiltrated data. By citing ongoing investigations and cybersecurity considerations in response to our very specific request for summary records of data that was compromised or exfiltrated, the county inadvertently confirms the very issue we sought to uncover – that sensitive information pertaining to Washington County residents, properties, or businesses was indeed compromised in the Thanksgiving Day cybersecurity incident. The exact details of this information, if it was encrypted, and who in the county is affected, remains known only to the Washington County Government. We were also unable to find any record of a breach notification on the Maryland Attorney General’s website, as required by Maryland law.
This revelation underscores the urgency of our mission to promote transparency, accountability, and the safeguarding of sensitive information. Rather than deterring us, this confirmation of compromised data only strengthens our resolve. We remain committed to pursuing transparency through the established channels, beginning with filing a request for mediation with the MPIA Ombudsman. Should the need arise, we are fully prepared to escalate our efforts to the Public Information Act Compliance Board.
At its core, this situation exemplifies the intricate balance between government transparency, cybersecurity, and individual rights to information that directly influences personal safety and privacy. As we navigate the appeals process, our primary objective is to unveil the full scope of what transpired and to advocate for comprehensive measures that bolster the security of Washington County residents, properties, and businesses in the digital age.
Washington County residents should contact their elected officials and demand transparency regarding the cybersecurity incident.
The MPIA response is available below. Note that our original request had a typo requesting Thanksgiving Day 2023, instead of 2022. However, we immediately sent a correction to the request to the county attorney.
Article by multiple RFHC contributors.
Discover more from Radio Free Hub City
Subscribe to get the latest posts sent to your email.