A Maui defense attorney was not authorized to access and acquire the personal information from four parking tickets paid for by Gov. Josh Green that were accessed through a system used by about 1,500 criminal justice personnel, a state investigation found.
In April, John F. Parker, 75, obtained “unauthorized access” to internal functions of the Judiciary Electronic Filing System, according to a report prepared by the state Judiciary.
The report was sent to state lawmakers last week following an investigation by Ballard Spahr LLC, a national law firm with information technology expertise.
After consulting with the Department of the Attorney General and the Department of Accounting and General Services’ Risk Management Office, Ballard Spahr was retained by the Judiciary for about $48,000.
Parker, who is calling for a public hearing by state lawmakers, maintains he accidentally found access to the private information during routine use of the system. He said he reported the JEFS vulnerability to the Maui News, the Honolulu Star-Advertiser, the governor’s office and the FBI.
Parker pulled Green’s information after four unsuccessful phone calls to the Judiciary attempting to alert them to the system vulnerability. The Judiciary maintains they have no record of Parker reaching out.
Upon learning of the access to Green’s records, the Judiciary shut down JEFS on April 11, fixed the vulnerability and brought the system back online April 12.
According to the Judiciary report, Parker used a means of unauthorized access to gain confidential personal information for “which he should have known that he had no authority to access.”
He disseminated the “confidential personal information to at least one other party, along with written instructions on how to replicate his method of unauthorized access,” without permission and without “appropriate regard for the affected individual’s privacy and safety and that of other individuals whose personal information is maintained on JEFS,” reads the report, which does not name Green.
The investigation did not find any additional people other than Green who were “affected by this incident.”
Parker shared a separate report with the state and the Star-Advertiser by a professional software engineer that he consulted and said the technical claims in the state’s report are false. The unnamed engineer determined that the cause of the access “occurred solely due to the server’s erroneous redirect logic” and that no “hacking” was involved.
The “faulty system logic” was the equivalent of a publicly available “open door” that led to all the confidential information that should haven been archived in the password-protected internal side of the JEFS system but was instead put on the public-access side of the JEFS system, Parker said.
”The confidential data was in the open totally unprotected. No one needed to hack in. At no time did I misuse my public access JEFS subscription. I was able to see confidential information because it was located within the public user’s area of JEFS,” Parker said. “I hope we can force a public legislative hearing on this. … We did do better than mainland states in avoiding a devastating cyberattack.”
The forensic consultant hired by the state found “no evidence of data scraping, or the mass extraction of information from a website,” according to the state report, which was sent to lawmakers via state Senate President Ron Kouchi.
Parker’s assertion that any member of the public could access confidential information in internal JEFS by purchasing a JEFS document subscription “is false,” according to the report.
To access internal JEFS, a subscriber is required to log in to the system and then enter the specific URL, or internet address, “for internal JEFS that provides a higher level of system access to retrieve the information via a webpage tab.”
“Mr. Parker did not have authorized access to internal JEFS and was only able to obtain access by using the URL address without authorization,” read the findings.
The Judiciary declined to comment on whether it referred the incident to law enforcement or the Office of Disciplinary Counsel.
The ODC was formed by the Hawaii Supreme Court to investigate complaints against Hawaii lawyers as part of the Disciplinary Board of the Hawaii Supreme Court, according to the Judiciary.
In response to a question from the Star-Advertiser about whether it received a formal criminal complaint about Parker’s access, the state Department of the Attorney General declined comment.
Parker, who had his access suspended April 11 and restored July 18, self-reported the matter to ODC.
“The effect of showing the Governor that his confidential information was publicly available got what I set out to accomplish and got it quickly,” wrote Parker in a May 24 letter to ODC. “What I did worked! And it worked quickly. I found the confidential information of tens of thousands of people lying in the open (in JEFS) and I threw a screenshot of the Governor’s confidential information on his doorstep with the implied message FIX THIS!! And that is exactly what Governor Green did.”
