The breach occurred May 6, the day before the city was hit by a ransomware attack, though the sources said any potential connection between the events was investigated and determined to be unlikely, and the matter has been dropped.
Inspector General Isabel Mercedes Cumming's report Tuesday did not identify the former employee. Three sources, who requested anonymity to speak candidly on a personnel matter tied to a law enforcement investigation, confirmed to The Baltimore Sun that it was Tirell Clifton.
The Department of Public Works fired Clifton in May 2018 after the alleged hacking tools were found and a review determined the technology worker had granted himself special access to Public Works Director Rudy Chow's computer, according to a previous inspector general report and records Clifton provided to The Baltimore Sun.
A year later, Clifton was captured on surveillance cameras and identified by former colleagues at the Wolman building.
Clifton is not facing criminal charges in the case.
He did not respond Tuesday to requests for comment on his visit to the Wolman building.
Cumming's latest report said the fired employee told investigators he went to his old workplace to see former colleagues. However, Cumming's office found the visit was not sanctioned -- and was the result of a cascade of security lapses.
"Despite being told directly by the individual that they had been terminated from city employment, the security guard allowed them access to the elevators without scanning identification, signing into a log book or confirming the individual was allowed access to nonpublic areas," Cumming wrote in her report. "The OIG spoke with the guard, who said he did not follow protocol because he recognized and knew of the former employee."
Clifton was in the building for about two hours and "accessed nonpublic floors and offices, including employee workstation areas and locations containing sensitive material and equipment," Cumming found.
He was wearing a tactical vest and a "badge similar to those issued to law enforcement" at the time, and several employees who interacted with him told investigators they had assumed he had gone into law enforcement -- and they therefore didn't question his presence, Cumming wrote.
Clifton does not work in law enforcement, and told investigators he bought the vest and badge online, according to Cumming's report.
The incident occurred one day before the ransomware attack crippled the city's computer network. The sources said Clifton's visit put him on the radar of investigators, including the FBI, which is conducting an ongoing investigation into the ransomware attack and helped interview Clifton after the building breach was identified.
However, according to Cumming's report, investigators "did not find any indication" that Clifton had "damaged any equipment or took any material out of the building," and the sources said Clifton is no longer a focus of the ransomware investigation.
Dave Fitz, an FBI spokesman, said the agency could not comment on the ransomware investigation.
The incident preceded by a couple weeks a mass shooting by a longtime Virginia Beach employee at a municipal building there, which raised questions about security for cities nationwide. Twelve people were killed in the attack, and several others wounded, before police shot and killed the suspect.
Cumming said her office could not discuss details of the Baltimore case beyond those in her report, but took the breach in Baltimore seriously in part because of the threat unauthorized visitors to city buildings can pose to employees.
"The OIG's concern is the safety of all employees in Baltimore city government buildings," Cumming said.
Her report identified a "lack of policies and procedures to account for who should have access to nonpublic city facilities and how employee terminations are communicated from departments to the proper security personnel."
It also called for reforms -- some of which have been made.
The city's security vendor has barred the guard involved from working at city facilities, Cumming's report said. And in a letter to Cumming's office last week, Chichi Nyagah-Nash, the city's acting general services director, wrote her department had "spent the past month" having discussions internally and with other agencies about introducing lasting improvements.
"The safety and security of the city staff in, and visitors to, city buildings is something that we take extremely seriously," she wrote.
Nyagah-Nash said her department has reviewed and updated security protocols on validating the identification of employees and visitors, and put new stanchions in four buildings to better direct people toward security desks. She also said additional security personnel will be stationed at City Hall and the Wolman, Harry S. Cummings and Charles L. Benton Jr. buildings.
Nyagah-Nash's department also will start a "building security campaign and educational outreach effort" to ensure employees are involved in keeping buildings safe by reporting suspicious behavior and denying access to those without proper identification.
"We are committed to addressing this with urgency in order to avoid a repetition of the incident that brought the matter to light," Nyagah-Nash wrote.
Clifton, who sought the Democratic nomination for mayor in 2016, previously told the Sun that the investigation that resulted in his firing last year was the result of a misunderstanding. City IT officials aiding the inspector general determined Clifton created several routes to maintain his access to Chow's computer; Clifton said he was researching how to better protect the city's systems, and that the program the city characterized as a hacking tool was really anti-virus software.
City officials have estimated the ransomware attack -- which shut down city email and other systems critical for real estate transactions and the collection of transfer and property taxes and water bills -- will cost at least $18.2 million in lost or delayed revenue and costs for restoring systems. Hackers demanded the city pay them bitcoins worth about $76,000 on the day of the attack, but Democratic Mayor Bernard C. "Jack" Young has refused to do so.
©2019 The Baltimore Sun. Distributed by Tribune Content Agency, LLC.
