Websites that track massive data breaches list Gov. Mary Fallin’s personal email address, which she uses to conduct state business, among information identified as compromised by Russian hackers, an investigation by The Frontier has found.
Additionally, business and social media accounts belonging to some of Fallin’s top advisors — including two cabinet members and a former spokesman — are listed on the websites as being compromised.
A source who spoke to The Frontier on condition of anonymity said Fallin contacted the Office of Management and Enterprise Services earlier this year, claiming that she believed her personal email account had been hacked. Fallin explained that the account may have contained sensitive personal information, the source said.
A second site that tracks data breaches lists Fallin’s LinkedIn account, which included her personal email address and a password, as stolen by the hackers.
Fallin’s office and the agency that manages state IT security — the Office of Management and Enterprise Services — have so far refused to address the issue of whether Fallin’s personal email account was compromised by the data theft.
A spokesman for OMES, when contacted by The Frontier, referred all questions for this story to Fallin’s office.
The governor’s general counsel issued a statement regarding Fallin’s use of personal email. The statement did not address whether and to what extent Fallin’s email or LinkedIn account had been compromised.
“As has been routinely acknowledged for years, on occasion, staff using their state email account will use the governor’s state email account as well as her personal email account to make sure the governor sees the correspondence in a timely manner,” the statement by General Counsel Jennifer Chance said.
“According to the attorney general, use of a personal device to conduct state business is not contrary to law and is not prohibited. … Per policy, the governor’s response, regardless of which email account she uses, is captured and stored on the state email server and is available in response to an open records request.”
It is unclear how that would occur in all cases, as Fallin’s sbcglobal.com email account is routed through Yahoo’s email system, not the state’s servers and several of her top staff members have used personal email to communicate also.
In motions that are part of an Open Records Act lawsuit against Fallin, she describes her use of personal email as “more efficient” and claims she has difficulty accessing the state’s email system after hours. However, the state’s email system is available to employees at all hours if they use the web-based Outlook system.
The Frontier found Fallin’s personal email address among information listed on two websites— HaveIbeenpwned.com and Leakedsource.com — that aggregate information on millions of individual accounts breached by hackers.
These sites are able to verify the hacked accounts after the data is posted on publicly available websites and companies involved confirm they have been hacked. The information is provided to help people determine whether their accounts have been hacked.
The breach that affected Fallin occurred in 2012 but the extent of the hacking was not fully revealed until this year and according to media reports, was linked to a group of Russian hackers. Depending on the governor’s security practices, that means her email related to state business could have been compromised for years without her knowledge.
Fallin is widely rumored to be among the top candidates for the post of Secretary of the Interior. On Monday, Fallin was named vice president of President-elect Donald Trump’s transition team.
Trump criticized his Democratic opponent, Hillary Clinton, throughout the campaign for her use of a private email server, which he claimed put important government information at risk.
Trump threatened to jail and lock up the former secretary of state if elected (despite lacking authority to do so) for using a private email server. However, the FBI said it found no evidence that Clinton committed a crime.
Additionally, emails about Clinton from her top campaign advisor’s Gmail account were hacked and leaked during the campaign, which intelligence agencies have attributed to hackers linked to the Russian government.
Fallin’s email related to Oklahoma’s state business certainly does not contain the sensitive information found in a secretary of state’s email. However the hacking episode raises questions about her ability to maintain security for official records she oversees and to follow state IT security policies.
A state law Fallin signed in 2013 requires certain state security breaches to be reported to OMES and for the public to be notified about them through a website, security.ok.gov.
An OMES spokesman said the website has not been set up because no reports of state data breaches have been made since the law was passed.
OMES’ 94-page document dealing with state IT policies and procedures contains numerous requirements and recommendations that could have helped Fallin and her top staff members avoid falling victim to hackers.
Cabinet members also hacked
The domain for Fallin’s personal email address, email@example.com, is now part of the AT&T email system hosted by Yahoo.
The Frontier verified that the account remains active by sending an email to that address requesting an interview with Fallin. The email was not returned as if sent to a nonexistent account and Fallin did not respond to interview requests.
In May, Reuters reported that about 40 million Yahoo accounts were among 270 million stolen email accounts being traded in Russia’s underworld.
It appears that Fallin’s information was taken by a group of Russian hackers who breached millions of social media and email accounts in 2012.
Several days after those reports surfaced in 2012, a state official warned employees to change their passwords on LinkedIn accounts, noting that many state employees used the accounts for business purposes. Officials said then that the risk from the LinkedIn data breach was minimal, as employees need both a password and a numeric employee ID code to access the state system.
Leakedsource.com lists Fallin’s LinkedIn account — including her personal email address and a numeric password — as among those swept up in the LinkedIn data breach in June 2012. It is unclear whether her email account was also compromised by this data breach.
HaveIbeenpwned is a website operated by Troy Hunt, a Microsoft executive and cybersecurity expert featured in media outlets including Forbes, Time and PCWorld. (Pwned is gamer slang for dominating a rival.)
In an interview via Skype, Hunt said he started the site three years ago because he noticed the same email addresses and passwords turning up in multiple large data breaches.
“Every time we see these large data breaches there are always large .dot gov email addresses in there,” Hunt said.
He said hackers are generally divided into three types: those who seek financial gain, those associated with “nation-states” gathering intelligence and “hacktivists.” Hunt described hacktivists as “usually young males that just want to break into stuff, particularly if it’s a government official.”
Hunt said he’s sympathetic to government officials who are victimized because they are merely using email addresses and passwords to access professional sites such as LinkedIn or Dropbox. However, he said it’s important for those officials to follow security procedures to protect the integrity of government records.
As opposed to commercial email services, government accounts would be far more likely to have “enforceable security requirements’ to prevent hacking, Hunt said.
“You would be kind of concerned if you did have government officials storing things in public services where these things have been out there.”
It appears Fallin is not alone when it comes to accounts linked to her office being targeted by hackers.
The Frontier searched the official domain for employees of the governor’s office —@gov.ok.gov — and found 17 accounts ending in that domain listed on Hunt’s website. Compromised accounts included the Dropbox accounts of her former spokesman, Alex Weintz, and former deputy policy advisor Andrew Silvestri, now employed by Google.
Contacted by The Frontier, Weintz said he wasn’t aware his .gov email was targeted by hackers. He said when he worked for Fallin’s office, the account was used for benign purposes such as sending photos to media outlets.
The state emails for five current or former employees of the governor’s office were listed among the information taken from Adobe accounts, part of a 2013 hack. (The program is used to read and edit PDF documents.) One of the accounts was owned by a former general counsel under Gov. Brad Henry.
LinkedIn accounts for two of Fallin’s cabinet secretaries — veterans affairs liaison Rita Aragon and former Education Secretary Phyllis Hudecki — were also among accounts listed as hacked. The information stolen included state email addresses and passwords for both Aragon and Hudecki.
The state’s IT policies and procedures are extensive, requiring both a numerical ID number and a password for access to the state email system. Users are supposed to obtain approval to use their own mobile devices and encryption is required on mobile devices.
However, state officials using email outside that system or unapproved devices would only be subject to their own security practices and requirements of their email provider. Fallin’s office has not said whether she uses state equipment or her own to access email.
The governor also has access to a state email address: firstname.lastname@example.org. However, Weintz wrote in a 2014 email that “most of her emails are from the personal email address.”
A 2009 Oklahoma attorney general opinion and numerous state and federal court decisions have made it clear that “an agency cannot shield its records from search or disclosure” by storing them in a private email account, as one federal court ruling concluded.
Fallin’s use of personal email for state business first came to light because of an Open Records Act lawsuit filed in December 2014 against her and the Department of Public Safety.
The suit seeks records related to the botched execution of Clayton Lockett. Plaintiffs include the author of this story and her former employer, the Tulsa World.
A motion to compel Fallin’s office to search her personal email account for records in response to the lawsuit is pending.