Articles

Doña Ana County, N.M., Voter Roll Breach Not Linked to Software Failures

The county's IT department analyzed computer system security in light of several recent arrests in an alleged IRS tax return check-cashing and identity theft scam and alleged falsification of county pay stubs.

by Diana Alba Soular, Las Cruces Sun-News / June 24, 2015

(TNS) -- A Doña Ana County, N.M., employee told county commissioners Tuesday that recent allegations of fraud within the County Clerk's Office either didn't stem from county computer security system breaches or there's not enough information available to determine whether that was the case.

Separately, the county clerk's office said it's taken new steps to reduce risk of Social Security numbers being as easily accessed by office personnel.

Geof Abruzzi, county information technology application manager, told commissioners the IT department analyzed county computer system security in light of several recent arrests in an alleged IRS tax return check-cashing and identity theft scam and alleged falsification of county pay stubs.

Abruzzi said the former county clerk's office employee accused of stealing Social Security numbers from the voter rolls "allegedly accessed information using an online system run by the New Mexico Secretary of State's Office," not by the county IT department directly.

"This system is not managed in any way by county IT staff, so we are unable say whether this person had been given access that she shouldn't have had or if there were exploited flaws in the system that allowed her access beyond what was granted," he said during a staff comment period at a Tuesday meeting. "We are also unable to evaluate or change security procedures on this system."

Deputy County Clerk Scott Krahling said it's accurate that the county voter information is maintained on a Secretary of State's Office computer system via a third-party company. The company has worked with Doña Ana County on a system change that should shrink access to Social Security numbers by clerk's office personnel, he said.

At least so far, the alleged theft of Social Security numbers from the voter database doesn't appear to have been high-tech.

The accused local ringleader, Maria Ceniceros, 42, of Anthony, New Mexico, admitted to federal agents she'd picked through the Doña Ana County voter registration database records on her work computer to glean "names, birthdates, and Social Security numbers" to supply to organizers in Mexico, according to court records. She's facing three federal charges and more than 100 state charges for alleged identity theft and fraud.

Ceniceros told investigators she began taking voter data from her work computer in November or December 2014 at the request of Armando Gutierrez-Torres of Delicias, Mexico, who's also facing state and federal charges, court records state. According to court records, Ceniceros told investigators the scam organizers in Mexico specifically sought identity information for people "born in 1995," so she queried the Doña Ana County voter database for names of people born that year.

"Ceniceros stated that she would arrive at work early before any of her co-workers arrived and access the voter registration information," according to court records. "She stated that she was not able to print from the voter registration system, so she handwrote the names, Social Security numbers, and dates of birth onto ... notebook paper."

Change implemented

Ceniceros, in her capacity as a document technician, had authority to access county voter records, including Social Security numbers, according to the county clerk's office.

Krahling said Tuesday the company that maintains the voter registration information software has implemented a change that will limit the visibility of Social Security numbers by clerk's office staff. In the instance of an employee querying the database to generate a list of voters, the Social Security numbers will not immediately appear on the list. Also, if individual names — and voter files — from that list are clicked upon for more-detailed information, the Social Security numbers also will not appear, though the data will remain in the system.

Still, Krahling said that a scanned image of a person's voter registration card, which is attached to the voter database because of a state requirement, still would be visible to an employee seeking to view it.

"We're working with the Secretary of State's Office to see if can limit access to an image of the actual voter registration card itself," he said.

In addition to software, the clerk's office maintains the paper copies of voter registration cards, Krahling said. Those have Social Security numbers, as well.

Krahling said the clerk's office has done as much as it can to shrink risk of the numbers being stolen. Routine training for staff will be implemented, he said.

"We've lowered the level of risk down to its lowest possible level — at least the part that's under our control," he said.

Recommendations ahead

An outside advisory panel that will make recommendations to the clerk's office about data security met for the first time last week. Krahling said that panel has provided some good ideas so far.

Krahling and County Clerk Lynn Ellins are supporting a change to state law to not require full Social Security numbers when new voters register. That would reduce the risk the most, Krahling said.

"We don't believe in the big picture there's a reason for the state to continue to collect Social Security numbers," he said. Krahling noted that the confirmation of a person's identity could be accomplished by collecting the last four digits of a Social Security number in combination with a person's name and birthdate.

The Secretary of State's Office also has been working with the county to lower risk of data being stolen, Krahling said.

"We're in no way intending to pass the buck off and say that we can't do anything internally," he said.

The Secretary of State's Office couldn't be reached for comment Tuesday.

Pay stubs allegation

Also arrested recently was former County Elections Supervisor Lorrie Muñoz, who authorities allege modified pay-related documents to qualify for food stamps. While not tied to the alleged identity theft and check-cashing scam, the allegations against Muñoz are believed to have been uncovered in the investigation into Ceniceros.

Abruzzi said in response to the pay stubs case, "we have reviewed the systems involved to look for evidence of a breach, or for permissions that would allow access to change the information. We have found no evidence of such a breach, and she had no user access to the database that generated the online pay stub."

Abruzzi said his department has reached out to the sheriff's department for more information, but it "cannot provide us specifics at this point." Still, DASO has "indicated that this event was likely not a compromise of our system security."

County Manager Julia Brown said people are likely wondering how a pay stub could have been modified without improper access to a county computer system.

"What we surmise at this point is a screen shot of the pay stub was taken and then modifications made to that and then copies provided to the state," she said. "The question actually should be: What kind of security does the state have in place in terms of what they will accept in terms of evidence of eligibility for public benefits?"

Abruzzi said the security of residents', property owners' and employees' information is a top priority for his department

"We will continue to monitor these events in case there is information that suggests that our systems or procedures need changes, but at this point, nothing in either event suggests problems or compromises in the security of data systems at the county," he said.

©2015 the Las Cruces Sun-News (Las Cruces, N.M.) Distributed by Tribune Content Agency, LLC.