Ineptitude of Joe Arpaio's Former Chief Deputy on Display in Possible Massive Data Breach
A story this week from the nonprofit investigative journalism outlets ProPublica and the Center for Investigative Reporting explores how a Chinese national gained access to all kinds of sensitive records, such as the Arizona driver's license database, before he disappeared.
"[T]he people responsible for hiring [Lizhong] Fan say one thing is clear: The privacy of as many as 5 million Arizona residents and other citizens has been exposed," the story states.
And we'll give you one guess which local law-enforcement agency is at the center of the controversy.
Of course, it's Joe Arpaio's Maricopa County Sheriff's Office, and more specifically, Arpaio's former chief deputy, David Hendershott.
From the story:
It was Hummingbird Defense Systems, a small Phoenix firm striving to break into the security technology market, that offered the opportunity. Hendershott, Arpaio's chief deputy, had years before become friends with Steve Greschner, Hummingbird's chief executive.
In fact, Hendershott first hired Hummingbird in 2003 to use its facial recognition software to watch for sex offenders at a Phoenix elementary school. The sheriff's office installed it soon after at its outdoor jail, famously known as Tent City. The fact that the technology flopped - one report by jail officials said a day's growth of a beard defeated its ability to accurately identify prisoners - didn't deter Arpaio's office, in the person of Hendershott, from encouraging Napolitano to put Hummingbird's technology to work at the intelligence center.
Greschner started partnering with some Chinese associates, and even got Henderschott in on trips to China. By the time Hummingbird's technology was being implemented at MCSO, "Greschner had already ceded significant control over Hummingbird's inner workings to Detaq, his business partner and liaison to China," the story states.
That's how the Chinese programmer in question came into play:
Hummingbird, without vetting [Lizhong] Fan further, sought his work visa, Greschner said, adding that he assumed law enforcement or other government officials took a closer look at the Chinese national. Greschner said he was asked by an official with the sheriff's department in 2006 to provide a numeric code for Fan's name, often used in investigations to pinpoint Chinese identity, which he did. In the application, Greschner said that Fan possessed skills not readily available in the U.S.
The Maricopa County Sheriff's Office endorsed Fan as well. In a September 2006 letter to the U.S. Citizenship and Immigration Services, a senior sheriff's official wrote that Fan already "demonstrated an extensive knowledge of the esoteric science" that converts human faces into data points. Such knowledge "appears to be" scarce.
Officials at the intelligence center discussed the wisdom of hiring a Chinese national for such sensitive work, according to Beasley, the counterterrorism director for the state's public safety department. Beasley said he opposed it without success.
"Was there a concern? Absolutely," Beasley said, "because China is not our friend." Cindy Bonomolo was the sheriff's deputy most often assigned to monitor Fan inside the intelligence center.
"I was told he did the facial recognition for Tiananmen Square," Bonomolo said in a June interview. "They said he was the best of the best. I have to say, this man was a genius." Greschner said Fan looked quite at home in the center.
"It was like 'I was a member of the club' - you know what I mean?" Greschner said of Fan. Bonomolo's ability to judge Fan's talent or oversee the integrity of his daily work in the intelligence center was not great. She'd chiefly served as a patrol or corrections officer within the sheriff's office. In an interview, she said she has no knowledge of computer science. Bonomolo said she had no reason to distrust Fan, and the two became close over discussions about her Christian faith. Fan became a Christian while in the U.S., she said. Much of Fan's job involved moving terabytes of data to servers. There were driver's license records from the state, arrest files from county jails and criminal history data that had to be uploaded. Next, Hummingbird needed Fan to edit the facial recognition software so that it could reliably search all those different databases.
Fan had access to the center's main network, according to three sources with first-hand knowledge of Fan's work arrangements. From there, he would have been able to see the directory of federal agents and state police working at the Arizona counterterrorism center, said Haney, the retired immigration agent.
Thus, day after day, Fan enjoyed the rarest of access to confidential personal and investigative files.
Then, on the first Tuesday of June 2007, according to a former law enforcement official, Fan paid cash for airfare to Beijing at the Phoenix Sky Harbor International Airport ticket counter. Fan's luggage, Greschner and Li said, carried two laptops and additional hard drives.
The Sheriff's Office maintained that no one else at MCSO was kept in the loop on the Fan situation by Hendershott:
For his part, Hendershott, the No. 2 man at the sheriff's office, was concerned about keeping the potential embarrassment from becoming public, according to documents. One email exchange shows that Hendershott contemplated reaching Fan in China and paying him to stay quiet.
"Make sure that he knows that I just want your stuff and no trouble," Hendershott wrote to Greschner, the Hummingbird executive who had hired Fan. "Just want him to go away. Can he and his wife keep their mouth shut?"
Hendershott was forced out of MCSO a few years ago for various acts of misconduct.
Our colleague Ray Stern, who chronicled many of Hendershott's misdeeds, once summed up his rap sheet like this: "Hendy's long list of misdeeds would take a book or three to describe in detail, but suffice it to say that none of them lend the ex-cop an aura of trustworthiness."
Click here to check out the whole ProPublica/CIR story.
Got a tip? Send it to: Matthew Hendley.