The state Judiciary is investigating how many people gained access to a system used by about 1,500 criminal justice partners after a Maui defense attorney was able to pull the personal information of Gov. Josh Green from records of four parking tickets he paid.
John F. Parker, 75, who first brought the issue to the attention of the Honolulu Star-Advertiser, said he wants to bring attention to the access he found after paying $125 for a subscription to the Judiciary Electronic Filing and Service System. He said efforts to contact the state Judiciary by phone and get its attention were unsuccessful. Judiciary officials say they have no record of Parker reaching out.
“What I found, quite by accident … the screen pops up. … I immediately saw two new tabs that shouldn’t be there. The violator history tab that is not included in the scope of your $125 subscription. That is private confidential information protected by law,” said Parker. “I clicked on it, and sure enough it worked. This is a full violator history tab. It was an accidental find and they (state
Judiciary) wouldn’t believe me. It was totally an off-the-wall accident that I found this. But once I found this, I crawled in the hole a little further and poked around and said, ‘This is serious.’”
Parker said he accessed Green’s information only after his calls to notify the state were ignored.
“My logic was that I want to get their attention and get a backup set of eyes watching them,” said Parker, who documented in a April 10 letter to the Maui News exactly how he was able to access the system that includes the Social Security numbers, home addresses, dates of birth and other personal information for anyone who has ever gotten a ticket in the past 25 years.
Upon learning of the access to Green’s records, the Judiciary shut down JEFS on April 11, fixed the vulnerability and brought the
system back online April 12.
Parker said he feared that
“tens of thousands” of people’s personal information could be compromised, and outlined in his letter to the newspaper exactly how he was able to access the system intended only for law enforcement. It included screen shots of Green’s records that included his Social Security number “to support his claim along with an explanation as to how such personal records could be obtained through the use of a URL address,” according to a report to the Legislature about the incident prepared by the Judiciary.
“Our office is aware of the unauthorized access of personal information, and we have been reassured by the Judiciary that additional protections have been put into place to ensure that the personal data of our citizens is secure and protected,” the governor’s director of communications, Makana McClellan, told the Star-Advertiser in a statement.
The parking tickets Green paid were well before his time as governor.
Chief Staff Attorney
Susan P. Gochros told the Star-Advertiser in an interview that there is “no further vulnerability” of the JEFS system like the one Parker described.
In a letter to Parker dated April 18, Rodney A. Maile, administrative director of the courts, wrote that the process Parker described
to access the confidential
information of the governor could not “be discovered
by a regular JEFS user.”
“Specifically, your letter identifies internal URL links that are not available to the public, a regular attorney JEFS user, or a JEFS subscriber,” wrote Maile. “Thus, it appears you gained access to information on the JEFS system that you were not
authorized to access and thereby used the JEFS system in a manner that was not authorized. The Judiciary is investigating this incident and it is uncertain as to how long our investigation will take.”
Parker’s JEFS account was suspended and his subscription fee refunded, and he is prohibited from “further subscribing to JEFS until this matter is resolved.” Parker alleges that he is a “victim of whistleblower revenge,” a claim the state denies.
“They took away my membership in a system I need on a daily basis to run my business,” said Parker. “This whistleblower took it on the chin. Not to make me hero, but to warn others.”
Parker, who said he worked for IBM in Honolulu the 1960s and had a top-
secret security clearance with the U.S. Department of Defense, retained Honolulu attorney Steven Slavitt to represent him.
In an email to Gochros, Slavitt wrote that Parker’s “intent in presenting this
to you was simply to make sure that the Judiciary can protect private information from being accessed.”
“My client can show you exactly how he got access. He never got this account from anyone other than signing up for a JEFS account.
He did not get his account from any law enforcement agency,” he wrote. “He never used the violator history tab other than for the governor. He did this just to get your attention. No one else did this as far as my client knows.”
In the report to the Legislature about the access to the governor’s information, Judiciary officials noted that “upon learning of the unauthorized access to Governor Green’s personal information, the Judiciary immediately took action to prevent further unauthorized access to confidential information utilizing the method Mr. Parker described.”
The Judiciary added another access control verification to the web page tab in addition to replacing the URL used by Parker with a new address, according to the report.
“If Mr. Parker, a JEFS subscriber, or anyone from the public were to discover the new address, the access control verification would still deny them access to the web page tab,” the report reads.
To access the information that Parker did, a JEFS subscriber would need to log in to the system and then enter the specific URL, or internet address, that provides a higher level of system access to retrieve the information via a web page tab.
That URL is made available “only to certain entities, upon login, primarily criminal justice partner agencies” that are signatories to memorandums of understanding that protect the confidentiality of information and allow limited access and use for authorized purposes, according to the report.
Maile told the Star-
Advertiser in an interview that officials are still investigating, and “as far as we are able to determine the methodology that was described was not available to any unauthorized individuals.”
“Did we learn anything from this? Yes,” said Maile. “We will learn under any
circumstances.”
Parker said the method he found for accessing the information meant for law enforcement “involves a real and honest danger for a lot of people.”
“Start notifying a lot of people that this is possible. If I found it accidentally, I doubt I’m the only one who found it,” he said.