IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Doral, Fla., Data Breach Involves City Council Members

A data irregularity that allowed city staffers in Doral to view council members’ private folders on a shared network has led to escalating turmoil in the city, with some in government filing complaints.

data breach
(TNS) — A data irregularity that allowed city staffers in Doral to view council members’ private folders on a shared network has led to escalating turmoil in the city, with a councilwoman and the mayor’s chief of staff filing complaints against each other.

The core of the complaints dates back to Jan. 24, when the city’s Information Technology Department discovered what it called the “permissions misconfiguration.” Two council members, Maureen Porras and Rafael Pineyro, were affected.

Porras has since filed a complaint with the Miami-Dade State Attorney’s Office, accusing Mayor Christi Fraga’s chief of staff, Marion C. Troitino, of Sunshine Law violations and a data breach. Porras said that Troitino accessed almost 60 of her files seven days before an anticipated vote about whether to fire the city manager, something she believes is no coincidence.

“I was the decisive vote; they wanted to know how I was going to vote,” Porras said.

In response, Troitino submitted her own complaint to the Miami-Dade Commission on Ethics and Public Trust, alleging that Porras had exploited her official position by using city computers to access documents related to her immigration law practice. Troitino said that information surfaced in an IT report on the data issue.

Claim of a data breach preceding an anticipated vote

An IT technician’s statement sent to the mayor detailed that between 4 p.m. and 5 p.m. on Jan. 25, a day after discovering the technological issue, IT technician Brian Vazquez met with Troitino in her office. During the meeting, he tested opening the same folders that had been accessed improperly by other city employees, confirming the issue had not yet been resolved. The vulnerability was later fixed.

During a special meeting on Jan. 31 that was requested by Porras, IT Director Jose Otero said that the issue, “mischaracterized as a breach, was a case of internal permission irregularity.”

Otero explained that the newest council members were the ones with profiles that had misconfigured permissions. When asked specifically about Porras’ folders, he said that several council members had access to them.

“There was no clear standard operating procedure in place when the permissions were created,” Otero said.

However, Porras requested an independent audit, which is ongoing.

On April 3, the councilwoman filed a formal complaint with the office of State Attorney Katherine Fernandez Rundle, asserting that “the nature of this breach poses significant concerns about the integrity of the political process and the protection of sensitive information within our municipality.”

In her letter, Porras pointed out that the breach occurred in the lead-up to the city manager vote. On the same day as the special meeting regarding the technology issue, City Manager Barbara “Barbie” Hernandez was fired amid accusations of conflicts of interest, despite Mayor Fraga pleading with council members to let Hernandez stay on.

Councilman Rafael Pineyro filed a similar complaint with the State Attorney’s Office but directed it against another aide, Claudia Bailly, the chief of staff for Vice Mayor Oscar Puig-Corve, alleging that Bailly “potentially exploited these vulnerabilities.”

“116 of my files were opened by Bailly,” Pineyro said. “Nothing besides my council work was there, but it could have been trouble if I had been working on documents regarding particular laws.”

Like Pineyro, Porras’ files were also opened by Bailly, but the councilwoman distinguishes between Bailly’s actions and those of Troitino, asserting that “the vice mayor’s office was among those who discovered the breach,” unlike the mayor’s office. She claims Fraga “did take advantage of that access.”

According to the IT technician’s statement, Monica Hasbun, the chief of staff for Councilwoman Digna Cabral, was the one who discovered the IT issue. Hasbun then asked Bailly to see if she also had access, which she did.

‘Retaliation without merit’

Troitino, the mayor’s chief of staff, on May 3 filed a complaint against Porras with the Ethics Commission, claiming that the IT report had also revealed that Porras and her former executive aide, Maria Rodriguez, appeared to have accessed documents related to Porras’s immigration law practice on their city computers.

Porras explained to El Nuevo Herald that all her work done as a council member, including legal advice, has always been free and community-based, which she said was not a violation of ethics.

“The complaint has no merit. It is only to divert from the real problem of improper access by the mayor’s chief of staff, which is a violation of ethics,” Porras said.

Rodriguez said the councilwoman mistreated her during her year as chief of staff and that Porras made her fill out legal documents that Porras would then sign, as if she had done the work.

“She only signed the documents,” Rodriguez said. She resigned in December.

Rodriguez said that she believes Porras provides legal advice to gain votes.

“She wanted to gain the trust of the Venezuelan community by offering immigration advice and clinics. She was aiming to secure the Venezuelan vote for her reelection” in 2026.

Rodriguez clarified that they didn’t charge for the immigration advice, but she said most of her work in the city was regarding legal services, not official city business.

Porras responded that she has “never used city resources for personal benefit or that of my employer.” She believes the accusations against her are retaliatory to her complaint against the mayor’s chief of staff for “improper access” to her private files.

Fraga has denied that her chief of staff accessed Porras’ files. “My office was unaware of the incident until [Troitino] was asked by an IT technician to use her computer to check if the issue had been resolved.” The mayor stated it was the technician who clicked on the files, not Troitino.

What are the implications of the complaints?

Jose Smith, a former municipal attorney for the cities of Miami Beach and North Miami Beach who is currently a special magistrate for North Miami, dismissed the idea that the incidents involving Porras’ and Pineyro’s files constitute a violation of the Sunshine Law.

“It is a violation of the Sunshine Law when two or more councilors communicate with each other and agree to vote on something,” Smith said. “Viewing documents is not a violation of the Sunshine Law. We often see social media posts where politicians publicize their agendas. It only becomes a violation if another member of their government comments on those publications, either in favor or against.”

Regarding the allegations about the data breach, Smith said that if the computer belongs to the city, any authorized person within the government could access its contents.

“There is no legal privilege,” he said. “Very few things on the city’s computers are confidential.”

However, both the State Attorney’s Office and the Ethics Commission are now tasked with analyzing the evidence, while the city is conducting an external forensic audit of its IT systems to understand what happened.

Fraga, Porras and Pineyro ran together on a slate in 2022. Two years later, that alliance is fragmenting, leaving Fraga in a weak position, facing three votes against her in most of her proposals on the five-member board.

Fraga has repeatedly said that the attacks against her and and her staff are politically motivated, stemming from the fact that it is an election year in Doral with three seats open — hers, Pineyro’s and Puig-Corve’s. The vice mayor will not run for reelection, creating a vacancy that could either bring in a council member aligned with the mayor or maintain the current state of polarization in the chambers.

© 2024 Miami Herald. Distributed by Tribune Content Agency, LLC.