5 million Arizona citizens' details stolen from counterterrorism center?

5 million Arizona citizens' details were allegedly stolen from an Arizona counterterrorism center by a Chinese national working as a facial recognition technology contractor. It's a convoluted breach story that has been covered up for seven years.

Secrets and cover ups

You probably heard about a breach that exposed the personal information of 25,000 DHS employees, but did you hear about the breach that exposed the personal details of five million Arizona residents? Probably not, because the alleged breach was kept a closely guarded secret; the story involves a cover up after a Chinese national and computer programmer was given keys to the kingdom…at least the kingdom that makes up the Arizona Counter Terrorism Information Center in Phoenix.

After conducting more than 50 interviews and pouring through thousands of federal investigative reports, internal correspondence, immigration records and court filings, the Center for Investigative Reporting and ProPublica uncovered a massive breach that occurred seven years ago…but was never publicly disclosed.

The details include a Chinese national, Lizhong Fan, who had access to everything at the Arizona Counter Terrorism Center in 2007 as he worked on facial recognition technology. It’s believed he had “access to a wide range of sensitive information, including the Arizona driver’s license database, other law enforcement databases, and potentially a roster of intelligence analysts and investigators.” It’s believed he copied sensitive info and took it back to China.

Mikel Longman, who previously worked as a criminal investigations chief at the Arizona Department of Public Safety, stated, “Every Arizona resident who had a driver's license or state-issued ID card and all that identifying stuff is potentially compromised. That's a huge breach.”

There’s more including some good ole boy shenanigans “made possible by a set of cozy relationships – among a tainted sheriff’s official, a dubious technology startup company and a woman who U.S. government officials think is a Chinese spy.” The tech startup was Hummingbird Defense Systems, whose chief executive Steve Greschner was buddies with the second in command at the Maricopa County Sheriff’s office. The woman thought to be a spy was possibly involved in bigamy as well.

The only part that doesn’t seem like something out of a movie is how easily the espionage was accomplished. There was no massive hacking; Fan had access, is believed to have made copies, and then fled back to China. He’s not been heard from since an email in 2010 and the FBI refused to comment upon anything involving Fan.

What is known…

Under Arizona law, then-Gov. Janet Napolitano and Maricopa County Sheriff Joe Arpaio, whose agencies admitted Fan into the intelligence center, were required to disclose to the public any “unauthorized acquisition and access to unencrypted or unredacted computerized data” that includes names and other personal information.

To this day, they have not.

The state was supposed to have scrubbed drivers’ names and addresses from the license data. State officials denied requests to discuss the extent of the data breach, including what personal information was in the files.

In fact, a review of records shows that David Hendershott, who was second-in-command at the sheriff’s office, moved aggressively to maintain silence, a silence that has now lasted some seven years. Two weeks after Fan departed, Hendershott directed others in writing not to discuss Fan and the possible breach. In an email to the outside contractor that had hired Fan, Hendershott wrote: “Keep this between us and only us.”

How did Fan get such access? Napolitano, Hendersott, and Col. Robert Halliday, the former director of the Arizona Department of Public Safety, all refused interview requests. Imagine that. John Lewis, who worked as the FBI's special agent in charge of the Phoenix division at the time, stated, “No one ever sat in my office and asked about having a foreign national inside the fusion center. That’s nuts.”

It’s a convoluted story, but it is believed the FBI and ICE investigated but never publicly released the results of the probe. The public safety agency first denied there was a potential breach, but then said “the matter was the subject of a confidential FBI investigation.” Later the same agency claimed “the case was a personnel matter, and thus the agency would not comment as a matter of policy.”

I highly recommend for you read the entire story. There’s still a great deal of mystery that stinks like a massive cover up. “But the people responsible for hiring Fan say one thing is clear: The privacy of as many as 5 million Arizona residents and other citizens has been exposed.”

New! Download the State of Cybercrime 2017 report