Florida police said a raid they conducted Monday on the Tallahassee home of Rebekah Jones, a data scientist the state fired from her job in May, was part of an investigation into an unauthorized access of a state emergency-responder system. It turns out, however, that not only do all state employees with access to that system share a single username and password, but also those credentials are publicly available on the Internet for anyone to read.
Jones on Monday shared a video of the police raid on her house as part of a Twitter thread in which she explained the police were serving a search warrant on her house following a complaint from the Department of Health. That complaint, in turn, was related to a message sent to Florida emergency responders back in November.
About 1,700 members of Florida’s emergency-response team received the communication on November 10, according to the affidavit (PDF) cited in the search warrant for Jones’ home. The message urged recipients to “speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be a part of this. Be a hero. Speak out before it’s too late.”
That unauthorized message was sent to the contact list for Florida’s Emergency Support Function 8, or ESF-8, one of 18 groups of Florida state emergency-response personnel. ESF-8 is headed under the Florida Department of Health and coordinates public health response, including “triage, treatment, and transportation” across multiple agencies. All users in the group share the same username and password, the affidavit confirms. Investigators looked at system logs and identified an IPv6 address associated with the message, which they then determined to be connected to Jones’ house.
After the raid on her home, Jones gave multiple media interviews in which she repeatedly denied having anything to do with the message. To CNN, for example, she said, “I’m not a hacker,” and added that neither the tone nor the content of the message matches her communication style.
In November, when the message went out, state DOH spokesman Jason Mahon declined to answer the Tampa Bay Times’ questions about “what, if anything, had been done to better secure the emergency alert system against future hacks, nor whether there have been other instances where the system had been hacked.”
It now seems the Times’ question may have gone unanswered because the Florida Department of Health had no answer, other than to continue bad security practices.
“All users assigned to [ESF-8 tools] share the same username and password,” the affidavit cited in the search warrant confirmed. That set of login credentials apparently does not change when users resign or are fired; instead, “once [employees] are no longer associated with ESF8 they are no longer authorized to access the multi-user group.”
That set of account credentials that all users share is part of a logistics operation manual that is publicly searchable and accessible on the Florida DOH’s website.
A link to the manual was shared in a Reddit thread discussing the raid on Jones’ house, which multiple Ars readers flagged to us. (Thanks!) We are choosing not to share a direct link, but as of publication time, the link was still live and working.
The document is a guideline for ESF-8 logistics staff. The first section includes a list of tasks management needs to complete in certain given periods. The second section includes a list of systems log-in information along with points of contact for each of those systems if they should be needed. It’s the kind of information anyone who has worked in an administrative or support role for any organization has likely had on hand—for internal use only.
Ars contacted the Florida Department of Health about the document prior to publication; officials did not immediately provide a response. We will update this story if we receive additional comment.
Additional reporting contributed by Timothy Lee.