Documents reveal financial fallout of Salt Lake City IT security breach

Mar 31, 2022, 10:02 PM | Updated: Jun 18, 2022, 8:29 pm

KSLTV.com

SALT LAKE CITY – The case against a former Salt Lake City IT employee accused of leaking undercover police information has raised questions and concerns about how the city and its police department safeguard sensitive information.

Officials have been tight-lipped about the incident and have refused multiple interview requests since the employee’s arrest last October, citing the pending investigation and criminal case. Now, documents obtained by the KSL Investigators reveal new information that led a judge to dismiss a felony charge in the criminal case as well as the costs to taxpayers adding up in the wake of what the city calls a security breach.

Case background

Patrick Driscoll, 50, is accused of providing identifying and compromising information about undercover Salt Lake City police officers to a man accused of running a sex-trafficking ring, in exchange for money or sex.

Patrick Driscoll

Since his October arrest, Driscoll faces additional charges suggesting he participated in and benefited from the alleged criminal enterprise.

During a hearing in March, Third District Judge Chelsea Koch ruled prosecutors presented enough evidence to bind over eight of the nine charges against Driscoll for trial.

The charges include aggravated human trafficking, obstruction of justice, computer crimes, aggravated exploitation of prostitution and a pattern of unlawful activity.

‘He did so with authorization’

Koch found insufficient evidence to bind over one felony charge of computer crimes interfering with critical infrastructure.

The charge relied on a sworn statement from the city detailing efforts to assess what happened.

“The Salt Lake City individual who has been tasked with going through has indicated that there were no security breaches,” Koch said. “If there were no security breaches, then the inference the court can draw is that he did so with authorization.”

That document, obtained by the KSL Investigators through a public records request, states more than 150 databases and all public safety software systems were reviewed for potential compromises but, “none have been found.”

Salt Lake City sworn statement by LarryDCurtis

Driscoll was never an officer or an employee of the police department but still had “full access to the police department as well as all city and law enforcement databases,” according to court documents.

Koch did bind over a second computer crimes count, however, citing supporting evidence that Driscoll took home files that should have been deleted and kept police images of prostitutes that he is accused of using for his own sexual gratification.

“The distinction I make there is that while he may have had initial authorization for that, he exceeded his authorization,” Koch said.

Breach or no breach?

No employee should have “carte blanche access to everything across an IT infrastructure,” according to Earl Foote, founder and CEO of Nexus IT.

Earl Foote

Foote is a cybersecurity expert who agreed to review the document obtained by the KSL Investigators. He said he believes a breach starts with intent, regardless of one’s level of authorization.

“If (information is) accessed, you know, in accordance with that person’s daily duties and roles to help support the organization and its users, fine. There’s no nefarious activity there,” Foote said. “Once it turns into, ‘I want access for a reason beyond that, that’s personal and or to expose it to third parties,’ yes, that constitutes a breach.”

Foote said it appears the city is taking appropriate steps to respond to the incident but noted most security breaches are preventable.

“I think there’s no question here that some of the common controls and measures that should happen within an IT department probably were not as robust as they should be,” he said.

Cost to taxpayers

The city’s sworn statement reveals another side of the fallout: the cost to taxpayers.

“Cyber incidents have become astronomically expensive,” said Foote, who told KSL the average cost of a security breach in Utah is $2.5 million.

While some of the information in the document is redacted, the statement notes a $12,000 expense as well as a $34,000 expense. The latter lines up with a $34,000 purchase order obtained by the KSL Investigators for a digital forensic audit procured by the city.

The statement also estimated 2,000 hours of employee time spent responding to the breach, totaling $90,000 using a conservative average hourly rate of $45. The total cost outlined in the document, as of Dec. 2, 2021, amounts to $136,000, which Foote anticipates will grow.

“I would easily suspect this one incident to escalate into the hundreds of thousands of dollars,” he said. “Maybe half a million plus, wouldn’t surprise me at all.”

A spokesperson in the mayor’s office confirmed the city does have a cybersecurity insurance policy that predates the breach, but it’s unclear how much, if any, of the costs will be covered. The city has not yet submitted a claim.

Have you experienced something you think just isn’t right? The KSL Investigators want to help. Submit your tip at investigates@ksl.com or 385-707-6153 so we can get working for you.