Yee was wrong; it's not a security breach
A follow up to a claim Kimberly Yee made during a primary debate
During her primary debate for Arizona State Treasurer, Kimberly Yee claimed it was a security breach when her opponent released public records showing she rarely shows up to her office at the Executive Tower.
She said she reached out to the Arizona Department of Homeland Security to look into it. I got records from the department showing, no, it was not a breach of security to release these public records.
I originally wrote about those records back in August, which you can read here.
This is how the May 12 letter began to Director Tim Roemer:
The letter goes on to claim that Yee’s Office should be the one to sign off on releasing the records, even though the agency that houses the badge swipe records is the Arizona Department of Administration which does not take orders from anybody but the governor (or likely his top staffers), but definitely not the state treasurer.
“We are requesting that The Arizona Department of Homeland Security perform the necessary actions to ensure that badge access locations remain secure and that access to this type of information is only made available to individuals with a need to know for business related purposes only. We believe this request is necessary to ensure the safety of all State of Arizona employees and elected officials. The Office of the Arizona State Treasurer serves as the state’s banker and investment manager; therefore, it is vital that our office security protocols are protected like a financial institution,” the letter states in closing.
Here’s how the events transpired as documented by Thomas Considine, the State Chief Privacy and Compliance Officer. The bullet points below are from an email exchange on May 11 between Considine and members of AZDOHS and ADOA:
[Deputy Treasurer Mark] Swenson said he made notes that some of the information seemed to require redaction prior to release because it included Treasury Access Pad physical locations, identification numbers, and a string of other information he thought could pose a risk to the security and safety of Treasury offices and staff.
He also made mention of the Governor's parking garage access pad information included in the PRR.
Mr. Swenson said he later learned the PRR was released to the requestor without any redaction because Megan Rose's staff hadn't noticed the notes listing Mr. Swenson's concerns.
Mr. Swenson reported this issue to the Treasurer's legal representative, who directed him to report this issue to Arizona Homeland Security as a potential security breach.
At 16:38, I spoke with Jason Joseph, ADOA GSD, Physical Security Manager. I asked if his office managed the access points for the Department of Treasury. Jason said they did manage Treasury. I informed Jason of the information provided to me by Mr. Swenson.
Jason said he was aware of the issue, as he was the person who pulled the information for the PRR. Jason said there was no sensitive information released in the PRR that would pose any threat to staff or facilities. Much of the information he provided in the PRR was already redacted before he sent it to Megan Rose.
Jason said there was no need to reprogram any access pads or badges, and this was not a potential security breach/incident.
Based on my conversation with Jason [Joseph] and his determination that no sensitive information was improperly released, I see no need for further investigation at this time unless directed otherwise.
-Thomas Considine, the State Chief Privacy and Compliance Officer.
Internal communications show how the AZDOHS came to the decision of it not being a data breach, but as of mid-July still had not communicated that information to Yee’s Office, which would explain why Yee said in her June 28 debate that she alerted Arizona Homeland Security still unsure of the severity.
In my original story, I did wonder why the records released to Yee’s primary opponent, State Rep. Jeff Weninger, was not fully redacted as my records, and it appears that the person in charge of redacting records at ADOA did not redact certain portions likely in error, but an August email from AZDOHS to Yee’s office confirmed it was nothing.
“The basic information provided could not be used to compromise State facilities,” Considine wrote to two members of Yee’s team.
You can view the communication records in full here.