Records lacking for computer attack on sheriff’s office

Records of a ransomware attack on the Hidalgo County Sheriff’s Office are nonexistent, leaving little details available with the exception of an investigator’s testimony during a recent trial.

HCSO investigator Marco Antonio Mandujano lost data obtained from an early 2017 dump of a sexual assault victim’s cellphone because the computer on which it was downloaded got a “virus,” according to his Sept. 26 testimony in the 370th District Court.

Mandujano, who works in the Persons Division and has been employed with HCSO since 2006, was the lead investigator of the sexual assault case and testified the virus “was asking for ransom.”

“The data on the phone dump was wiped out because we are connected to the Internet, and somehow the computer program — Well, actually, the computer itself got a virus … and we couldn’t get into it,” the transcript of his testimony reads. “… It was asking for ransom — the computer virus. So there was no way to get into it … The whole computer memory was erased — the hard drive.”

HCSO has no records of the attack, Sheriff J.E. “Eddie” Guerra said Friday, because neither Mandujano nor the IT technician submitted reports about the data loss.

The Monitor previously submitted an open records request on Oct. 16 for specifics about the date or dates of any ransomware attack on the sheriff’s office in 2017, as well as details about the attack. HCSO replied on Oct. 24: “Our office does not have any information responsive to your request.”

Mandujano testified it was his opinion that the data obtained from the dump was of no use to the investigation, and thus the ransomware attack had no impact on his findings, according to the transcript.

The dump purportedly contained messages between the victim and two witnesses to the attack. Neither witness was called to the stand during the trial, and the investigator never spoke with one of them, according to the transcript.

The ransomware attack occurred on a computer in HCSO’s east substation in Weslaco, Guerra said. It is one of only two HCSO computers that is part of its internet-based computer network. These computers do not have restrictions on sites like Facebook and Craigslist that computers on HCSO’s internal network do.

No computers connected to the internal network have ever suffered a ransomware attack, the sheriff said Friday.

“The IT tech fixed (the computer),” Guerra said in reference to the data loss suffered by his investigator. “A week later the computer was working.”

In order to remove the virus, the IT tech — who is no longer employed by HCSO — had to reboot the computer, which restored its settings to its last backup. In the process, all data downloaded to the computer since that backup was lost, Guerra said.

Investigators download phone dumps on the two off-network computers in order to prevent potential viruses from phones infecting the internal network, the sheriff said.

“… The CID (criminal investigations division) chief said, ‘Well, I’ll have him write it up since we weren’t aware of it,’” Guerra said about the staff’s response following The Monitor’s public information requests.

Guerra did not require the report be written retroactively, but said from now on, he would require investigators and IT personnel to write reports of any data lost from these computers.

The likelihood of lost data, however, is slim, the sheriff said, because since Mandujano lost the data from the cellphone dump, HCSO requires investigators to automatically backup the data on a disc.

It’s unclear, however, if any other phone dump data pertaining to other criminal cases was lost during the early 2017 ransomware attack.

The Monitor’s open records request seeking all data lost or compromised as a result of the breach, including any files related to cases that have been prosecuted by the Hidalgo County District Attorney’s Office between Jan. 1 and Oct. 16, also came back with no information provided.

It’s unclear whether this was the result of reports not being filed by HCSO investigators and IT personnel, or simply because only Mandujano’s sexual assault case was impacted.