Colorado law enforcement agencies look to cancel contract with hacked emergency notification system
Colorado law enforcement agencies are fed up with problems with an emergency notification system meant to serve multiple counties and are looking for a better solution.
The Douglas County Sheriff's Office says it is taking steps to end a contract with the provider of an emergency notification system called CodeRed after trouble with the system, blamed by the company that runs it on a "targeted attack by an organized cybercriminal group."
The service provides emergency messages to a number of counties and jurisdictions in Colorado, but has been problematic for over two weeks for DougCo, Aurora, and Weld County, among others.
"The Douglas County Sheriff's Office, in collaboration with the Douglas County 911 Board, has taken immediate action to terminate our contract with CodeRed for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRed," said a statement from Douglas County.
Weld County, too, is looking at ending the use of the system. "Our county attorney and commissioners are really taking a look at our contract right now," said Weld County Emergency Management Director Roy Rudisill.
The trouble started on November 10th when Douglas County tried to utilize the system to let people know of a controlled burn coming two days later.
"We get ready to launch that CodeRed to the area that was affected by it, and we can't log into the system," said Douglas County Sheriff Division Chief Taylor Davis, head of the division of support services that works with the notification programs. "We hadn't been notified by CodeRed that the system wasn't working. I can't even say with 100 percent certainty when CodeRed knew the system was down."
Weld County says it was informed by the company that runs CodeRed the following day that it had been pulled offline on the 10th.
The information breach caused a warning to people who signed up with the system to monitor their private data.
"They haven't given us a lot of information. They let us know it was an online group. But they haven't told us anything about the identity of this group," said Davis. "What we do know was compromised was usernames, passwords, names of individuals, addresses, phone numbers."
But people were not asked for more personal information, such as social security numbers, to sign up.
"These platforms are hugely important. Folks in the community need to know when something's going on around them where they need to be safe," Davis added. "They're trusting that. We're also trusting that. So that trust was definitely broken."
The company released a statement Monday, including: The "OnSolve CodeRed environment in a targeted attack by an organized cybercriminal group…
We have learned that data associated with the legacy OnSolve CodeRed platform was removed from our systems. While there is currently no indication that this data has been published online, we are proactively informing you that it may be leaked."
Onsolve is run by a company called Crisis24, which is owned by the international security company Garda World.
In an emailed statement received Tuesday from "Communications" at Crisis24, the company said:
"We detected security vulnerabilities on November 10 and immediately suspended access to the OnSolve CodeRED platform. Shortly thereafter, we informed all customers of the OnSolve CodeRED platform via email that we had proactively suspended access to OnSolve CodeRED."
The company said it offered complimentary access to another platform.
"As soon as we were able to, we advised all customers that data potentially associated with the legacy OnSolve CodeRED platform may be published online following a targeted attack by an organized cybercriminal group."
Aurora said in a statement Monday night, "Inbound 911 services are not and have never been impacted, and the city can still send emergency notifications to those who have previously enrolled in CodeRed."
The city says if there is a need to alert the entire city, they will work with state partners.
Some systems alert wider areas, such as the state and federally-based Amert Alert system. Weld County has an agreement with Larimer County that it said would help.
Davis said DougCo was looking at other systems to replace CodeRed, but time is needed to sign a new contract and to ensure any new system would dovetail with their systems to function properly. And other systems may cost more, but the data may include phone number information, which can be used to send inquiries to people to allow or reject notifications. Such systems may up participation, said Davis.
For the time being, they expect to have to inform people in ways they used to decades ago, by door-knocking and letting the media and now social media spread the word.
"This is a tool that we utilize often. We're frequently putting out Code Reds, whether it's shelter in place or just advising of something going on in that area. And not having that tool, it's hard," Davis said.
