BY JEREMY KOHLER, ST. LOUIS POST-DISPATCH
St. Louis County abruptly took its website down on Sept. 1 because hackers were trying to break in, county officials acknowledged on Wednesday.
Doug Moore, a spokesman for County Executive Sam Page, said Wednesday no sensitive information was exposed. Although the Board of Elections was one of the departments affected, election officials emphasized that they do not store voting information or have access to voting systems on the site.
Moore did not explain why county officials failed to disclose the cause of the website outage until after an early version of this report was published online on Wednesday. Charles Henderson, recently appointed by Page as the county’s IT director, could not be reached for comment. The County Council’s committee of the whole is scheduled to meet Tuesday to weigh a decision to confirm his appointment.
County Council member Tim Fitch, R-3rd District, a frequent critic of the Page administration, said the administration intentionally misled the public and should have told council members why the site had been taken down. In an email, Fitch on Wednesday asked Council Chairwoman Lisa Clancy, D-5th District, to be able to question Henderson about the situation at his hearing.
A statement from Page’s staff the day of the outage said only that the information technology team had been making modifications to the site and that some content would not be available for two weeks. Moore added later that day that IT staffers had been in the process of moving the county’s online functions to a new site, but because of an unforeseen problem, they had to take down the old site.
A new site was published within hours with limited functionality. The new site has a more polished look, but many key functions had yet to be restored.
Few details were available about the nature of the hacking attempts. The Post-Dispatch learned about it from multiple sources in county government.
Earlier Wednesday, a county official who spoke to a reporter on the condition that his name not be used said he learned from a member of the county’s IT staff that Chinese hackers had exploited a vulnerability in the county website, and that the IT department had to shut the site down after discovering the problem.
The official said he wasn’t told what the hackers were looking for, if they succeeded in breaching the site or if any personal or payment information had been exposed.
The Post-Dispatch obtained emails dated Sept. 2 between Henderson and Courtney Curtis, an assistant to Councilwoman Rita Heard Days. Henderson told Curtis the IT staff had been working for several months on a new site using the .gov domain, with the intention of a “soft launch” on Sept. 1 and a public launch later in the year.
Henderson wrote that on Sept. 1, “a security vulnerability in the old site was identified and after evaluation it was determined that we could not correct that vulnerability. The vulnerability was hazardous enough that successfully exploiting it could endanger the integrity of our systems and put our residents and business data at risk of being destroyed, corrupted or stolen. Several attempts to exploit that vulnerability were already occurring.”
Henderson wrote that about 4 p.m. on Sept. 1, he met with Chief Operating Officer Mike Chapman with the recommendation “that we make the switch immediately despite the fact that we didn’t have the new .gov site as completed as we had planned. In my opinion, the risk to our residents and businesses and integrity of County systems outweighed the disruption that I knew such a drastic switch would cause.”
He wrote that Chapman “agreed with my assessment and we immediately turned our resources to bringing the .gov site up as quickly as possible and populating it with the most critical data as rapidly as possible.”
St. Louis Post-Dispatch, Distributed by Tribune Content Agency, LLC.