The Washington PostDemocracy Dies in Darkness

Sensitive data from 1,800 people may have fallen into hands of felon, Virginia town says

Purcellville, Va., publicly disclosed a potential data breach late last week.
Purcellville, Va., publicly disclosed a potential data breach late last week. (Bill O’Leary/The Washington Post)
Placeholder while article actions load

Sensitive personal data from 1,800 people from across the D.C. area, including crime victims, law enforcement officials and people who filed police reports, may have been obtained by a felon who claimed to have the entire email inbox of the Purcellville police chief.

A data analysis firm and officials for the small town in Loudoun County publicly disclosed the stunning potential data breach in letters sent to the victims late last week and at an emergency Town Council meeting over the weekend. The disclosure touched off confusion, a flood of questions and an apology from town officials.

Vice Mayor Tip Stinnette told council members at the meeting Saturday that a thumb drive containing a copy of Police Chief Cynthia McAlister’s inbox disappeared after it was created as part of an internal investigation, according to an audio recording of the meeting posted by the town. Officials said there is no indication to date that any of the personal data on that drive has been exploited.

“The stick contained 9.1 gigabytes of information — literally tens of thousands of pieces of correspondence,” Stinnette read from an email to victims. “The correspondence contained personal identifiers such as Social Security numbers, license numbers, birth dates, medical information, credit card numbers and/or bank numbers.”

Stinnette said that the affected individuals included people from multiple states beyond the D.C. area and that the emails contained “personal identifiers” from regional law enforcement officials. The town has set up a hotline for people to call and is offering services to help mitigate the impact of any potential breach.

The town first learned that something might be amiss in April 2018, when the former publisher of the Loudoun Tribune, a man with a felony record dating back decades, said he had the police chief’s entire inbox in an email to the mayor that also contained questions for his reporting, Stinnette said in an interview.

Earlier this year, the former publisher, Brian Reynolds, of Leesburg, pleaded guilty to unrelated federal fraud and weapons charges. The charges stemmed in part from defrauding investors in his newspaper.

Town officials said they have yet to determine whether Reynolds actually had the police chief’s email inbox, but the memory stick has never been recovered, and it remains unclear what became of it. Reynolds’s disclosure prompted an investigation.

Reynolds is jailed pending sentencing in federal court in Alexandria. An attorney for Reynolds said he would get back to The Washington Post if his client had any comment but did not respond further.

A Purcellville IT employee later surmised that Reynolds may have obtained the emails after a former interim town manager requested a copy of the police chief’s inbox in October 2017 during an internal probe of the police chief, Stinnette said at the Saturday meeting. The drive may have been handed off to a consultant, who produced a report on the police chief that utilized her emails.

Purcellville police chief to be reinstated after year-long investigation

McAlister was fired amid allegations that she created a toxic work environment, intimidated a council member and inserted herself into internal-affairs investigations. But she was re­instated after an investigation determined that the probe of her was flawed and that the allegations were unfounded.

The investigation of the investigation found that the consultant did not appear to have the proper credentials to conduct a human resources probe. The town said she also had old criminal convictions.

Stinnette said town officials had asked for the interim town manager and the consultant to return the thumb drive containing the email inbox, but they had never produced it. Stinnette said he has no indication that a criminal probe has been opened into the disappearance of the memory stick.

“It’s hard for us to say there is no evidence of a specific breach,” Stinnette said in an interview. “It bothers me that potentially we have law enforcement data that is sitting out there on a hard drive.”

Purcellville Mayor Kwasi Fraser struck a more upbeat note.

“There is no evidence their information was compromised,” Fraser said. “Out of an abundance of caution we provided information to the public. This is a potential data breach, not an actual data breach.”

Stinnette apologized for the town’s “dysfunctional communication” in notifying the public about the breach, noting officials had only recently learned the extent of the issue.

A data analysis firm sent out letters on town letterhead informing people about the breach, but the contact information listed on the letter was for the firm, raising questions about whether the letter was valid. The firm is based in Harrisburg, Pa.

“I’m sorry for the way this was communicated to the community,” Stinnette said. “We can and should do a better job.”

‘A sea change’ for prosecutors in Northern Virginia as liberal democratic sweep races

‘A one woman crime spree’: Con woman charmed athletes, executives and manicurists

U.S. judge rules Trump suit to block House from getting his state tax returns belongs in court in N.Y.

Local newsletters: Local headlines (8 a.m.) | Afternoon Buzz (4 p.m.)

Like PostLocal on Facebook | Follow @postlocal on Twitter | Latest local news