2 hacks at the City of Houston reveal system weaknesses: expert

ByKeaton Fox KTRK logo
Wednesday, December 19, 2018
Two city of Houston hacks reveal system weaknesses: expert
City documents obtained by 13 Investigates reveal the city hadn't done nearly enough to prepare for the possibility that hackers would try to break in.

HOUSTON, Texas (KTRK) -- Criminals are holding computer systems hostage across the country and our 13 Investigates team uncovered the city of Houston has been the victim of hacks at least twice, according to city documents.

The city of Atlanta's computer systems were held ransom for tens of thousands of dollars. Tyler, Texas' water bill payment was breached. Dallas' tornado sirens were hacked - and set off in the middle of the night.

Of course, city computer networks control a lot of really important stuff. Systems you depend on to control the water you drink, the traffic lights that only sometimes work right, and the money you pay in taxes.

If a hacker gets into those, they won't delete your existence, but they sure could mess with things.

But city documents obtained by 13 Investigates reveal the city hadn't done nearly enough to prepare for the possibility that hackers would try to break in.

According to the documents we obtained describing Houston hacks for the first time, thousands of planning documents and permit applications were deleted by hackers in one 2017 cyber break-in.

In another, hundreds of building plans permits and applications went missing.

"The plan review system... was hacked twice (May 4th and June 19th) and critical data was deleted," city documents reveal.

"Two major security breaches and data incidents happened at Houston Permitting Center," the documents said. "It came to notice there was... no security or audits controls turned on to prevent data breaches... multiple employees were given access to the system, without any formal approval in place. The login and password information was accessible to many people when the system was put in place and this problem was not corrected."

"The incidents may have been contained if change management and communication (escalation) plan and root cause analysis would have been done with the server team to identify the missing security protocols and password issues," the documents said.

Former FBI special agent in charge and ABC News security consultant Steve Gomez says city networks are a goldmine of private information for people, businesses and even public safety.

"A hacker gaining access into a city network now has the ability to grab that information and that could be sold or used by identity thieves all around the world," Gomez said.

After the Houston hacks, an investigation found firewalls weren't set up right, the city had no cybersecurity plan or process and no server monitoring tools, all according to city documents.

Before a July exercise, Mayor Turner said the city of Houston learned from the hack in Atlanta that made computers there very expensive paperweights.

"The number one lesson? Don't wait until it happens and then respond after the fact," Turner said at the time.

But there isn't much evidence the city did that. When we asked about the documented Houston hacks, Public Works told us all our questions could be answered in a month's old PowerPoint presentation given to a city council committee.

"The problem is that once the city starts to prepare for this type of cyberattack, they have to constantly be updating their security measures," Gomez said.

One City of Houston employee was ultimately fired at least partially for the public works hack.

Documents show she failed to change IT passwords when instructed and her performance reviews suggest her bosses were concerned she couldn't properly manage the city system she was in charge of.

The city never found the hacker responsible for causing the document mess.

Turner points out the city doesn't have unlimited funds and documents show this breach was limited to the one system at the Houston Permitting Center.

"We're taking the steps that we can within our financial means to upgrade our systems," Turner said.

After our story aired, a city spokesperson sent us this statement: "We do not discuss sensitive information related to the City of Houston's network security system. The City is in the process of implementing a four-year plan with 30+ initiatives to harden the city's data and systems. These initiatives will take serious proactive measures to ensure every customer's personal information is protected."

Experts like Gomez say small hacks are just the starting point as criminals test the system. Our requests for information regarding other attacks were turned down. In its denial, the city claimed us having that information could help terrorists.

For the latest investigations, follow Ted on Facebook and Twitter.

Have a tip for Ted Oberg? A problem to solve? Get in touch with us on our tip page, or send a tip below. (On mobile? You can open our form by tapping here.)