Greenfield city manager addresses allegations; Judge Judkins says chief, city manager working on issues
Pictured (l-r) at the June 10 Greenfield Village Council meeting are council members Carlos Ooten, Cory Taylor, Phil Clyburn, Mary Ellen McMurry and Brenda Losey. (Village of Greenfield photo via Facebook.)
By Rory Ryan
The Highland County Press
The Greenfield Village Council met in a special session Monday, June 10. Council members present included Phil Clyburn, Brenda Losey, Mary Ellen McMurry, Carlos Ooten and Cory Taylor.
The meeting was a follow-up to the June 3 council meeting, during which Greenfield Police Chief Jimmy Oyer alleged that someone had unauthorized access to the police department's computer network.
Oyer cited a letter by GPD Sgt. Jay Beatty that referenced the unauthorized access.
Following a May 24 council meeting, Greenfield City Manager Todd Wilkin met with Beatty to discuss an IT company named VC3.
According to Beatty's letter, Wilkin "advised me that the IT company, VC3, was attempting to complete the necessary steps in order to start the onboarding process for the GPD's servers. I advised Todd that I knew absolutely nothing about what he was requesting and could not help. I advised Todd that Chief (Jimmy) Oyer would return from vacation in a few days and that he or Misty Breakfield, the GPD's LEADs (Law Enforcement Automated Data System) TAC (terminal agency coordinator), would be the only people to help. Todd then advised me that VC3 is requesting someone other than Chief Oyer or Misty Breakfield to assist so they can go ahead with the onboarding process. I again advised Todd that I could not help, even if I wanted to, due to not having the knowledge or ability to help. Once Chief Oyer returned from vacation, I advised him of the meeting and forwarded the email I received from Todd Wilkin to both Chief Oyer and Misty Breakfield."
On June 4, Greenfield City Manager Todd Wilkin told The Highland County Press the village is investigating the matter.
"We have reached out to our LEADs contact, and he informed us we do not have any violations that he could confirm," Wilkin said. "He could not confirm that we had any unauthorized access. We have requested, and are waiting on a report for all accesses and log-ins to our server."
(See https://highlandcountypress.com/news/greenfield-police-chief-alleges-un…)
At the June 10 special meeting of council, Wilkin read from a prepared statement for the first 15 minutes of the meeting. (That statement is copied below.)
After Wilkin spoke, council member Brenda Losey made a motion for the village to hire an independent third party to look at the matter.
"I move to ask a third party IT company to go over everything. We need to get a neutral party to look at it. This is a serious matter."
Council president Phil Clyburn seconded the motion and then opened rounds of discussion.
Council member Mary Ellen McMurry said, "I think what we read from Mr. Wilkin's report is very comprehensive, and a third-party investigation will confirm that. I don't think there was a breach."
"I'm not agreeing with anything," council member Cory Taylor said. "I just want the truth."
"I want all of Mrs. Breakfield's documentation," council member Carlos Ooten said. "There may have been no breach, but there was unauthorized access to the room. Did Sherry Parker (village employee) allow VC3 to enter the server room?
"Ladies and gentlemen, you're going to spend some money, but we'll get to the bottom of this," Ooten said to those in attendance.
The next speaker was Highland County Court/Madison Township Judge Robert Judkins, who stressed the "importance of maintaining proper protocol with our terminals."
The judge provided some background on the court and location of the computer terminals at Greenfield City Hall. He said his clerk "authorized an individual to go in the server room with Parker and that Parker left, while the individual remained. He alleged that that may be a sanction on the village.
"I think the (police) chief had a reasonable basis to be concerned, and I concur with the city manager there was nothing criminal," the judge said. "We have to show that we have remedied the situation. We have to have a sign-in, sign-out system for anyone who has access. I think the city manager and chief of police are working on this to remedy the situation. We can't allow this to happen again."
Wilkin then stated that he has talked with LEADs and informed council that the village is not under any sanction, but a compliance issue.
"We need to have a logbook for certified individuals to be in that room," Wilkin said.
At that point, Clyburn stated that council had a motion from Losey to hire a third-party IT company. Council members voted, 5-0, to hire a company.
Clyburn then moved to adjourn, but Ooten wanted a motion for council to "have all of Mrs. Breakfield's documentation."
Clyburn responded that there was already a motion to adjourn, which passed.
• • • •
Following is a written statement on June 10, 2024 by Greenfield City Manager Todd Wilkin as presented to council.
The notes below represent the facts obtained while looking into the matter presented to the Village Council on Monday evening, June 3, 2024.
In this meeting, Mrs. Misty Breakfield and Police Chief Jimmy Oyer testified that there was unauthorized access/use of the police department (PD) server. During their statements at the meeting, it was noted that police officers could not access the LEADS terminal. Within this discussion last Monday evening, accusations were made that the PD server passwords were given out and that unauthorized users were on the PD server.
It was presented that the unauthorized access was a felony of the fifth degree, and that they didn’t know who was on the server. It was also mentioned that the officer who was left in charge while the chief was on vacation was approached to take over the IT process.
The village council members asked questions and made statements regarding the alleged unauthorized access. I informed the Village Council that I would look into the claims since I had just learned about the allegations from Law Director Hannah Bivens five minutes before the meeting.
Here are some key statements from last Monday’s meeting:
• Mrs. Breakfield said officers were unable to get into the LEADS terminal.
• Mrs. Breakfield stated she contacted the certified compliant vendor, the IT vendor, Andy, and he was told to give out the passwords, but he (Andy) didn’t want to get involved.
• Mrs. Breakfield said we have no idea who is in there (referring to the PD Server).
• Mrs. Breakfield stated somebody authorized access to our server.
• Mrs. Mary Ellen McMurray asked Mrs. Breakfield Are you 100% certain that it’s VC3 in there.
• Mrs. Breakfield said "yes" and that she confirmed it with Casey at LEADS Security, Chief Oyer, Hannah, and Andy
• Mrs. Breakfield said VC3 entered the server room on May 30 at 10:19 a.m.
• Mrs. Breakfield said that’s when they (VC3) put their programming in our system.
• Mrs. Breakfield said, Andy stated, “There’s a problem with your driver, and I can’t fix it.”
• Mr. Carlos Ooten said Council needs to take immediate action on shutting VC3 down.
• Chief Oyer said the officer in charge was approached to take over the IT process.
• Chief Oyer said somebody authorized the release for my IT guy, not my office.
• Chief Oyer said somebody authorized the release of our numbers.
• Chief Oyer said my number was released without my authorization.
• Chief Oyer said we could have lost our whole terminal over this, making it an unfunctional department.
• Chief Oyer said "I just got my first sanction in 20 years."
One of the many individuals we contacted last week was the Bureau of Criminal Investigation (BCI) under the office of the Ohio Attorney General. During our discussion with Agent Josh Rammel and finally Agent Kevin Barbeau, it was determined that the unauthorized access was not a criminal offense and that BCI would not be investigating the matter since it was not criminal in nature.
It is important to note that proper notification and protocol were not followed in this situation. Proper protocol is not to notify the City Manager five minutes before a council meeting that unauthorized access to the PD servers occurred and that individuals would be testifying at the council meeting about the situation.
The proper protocol would have been to contact the city manager when the situation was identified. But more importantly, and I can’t stress this enough, if it was truly unauthorized access to the server, why didn’t the chief of police notify BCI immediately to launch an investigation? This is especially true considering section 2913.04 of the Ohio Revised Code spells out that unauthorized access is a criminal offense.
In later discussions with Mrs. Misty Breakfield, I asked her if she believed I gave out the passwords, and she said, “no.”
If I, the city manager, had not given out the passwords, I should have been advised as soon as possible to help develop the next steps. I was not informed until five minutes before the (June 3) meeting and then accused of handing out passwords or attempting to persuade an officer to do so or take over the IT process.
During the June 3 meeting, no evidence was presented as proof of the unauthorized access or verification that the statements being made were factual. I have provided the council with all of my findings of fact, which include emails, phone call transcripts and a timeline of events and calls made to lead us to our conclusion.
I want to make this statement once again: If the police chief believed I gave out the passwords to his server and authorized access to the PD server, he should have contacted BCI immediately to investigate the criminal activity. But he did not. After I discussed this with the BCI agents, they stated nothing criminal had occurred and there was nothing to look into; it was a compliance issue.
To clarify the statements above, two officers could not log onto OHLEG, which is housed on the PD server. The testimony given last Monday indicated that officers could not log onto the LEADS computer. It is important to make a distinction between the LEADS terminal and the OHLEG system; they are different. The LEADS terminal server is different from the PD server, and factually, the current IT company does not have access to that password.
The OHLEG issue was a domain error. I have included the screenshot of the domain error in your information packet. Mrs. Breakfield came into work on Sunday, June 2, 2024, and walked into the server room with Mr. Andy Kappel on the phone. (Andrew Kappel is the owner of Atomic Computers and Design in Cincinnati. He is Greenfield's computer software vendor.)
They found a network cable that was not pushed into the port. Once that cable was pushed back into the port, the server came back online, and the domain errors disappeared.
Kappel was not a Criminal Justice Information System (CJIS) certified individual. Although Mrs. Breakfield testified that she contacted our CJIS “certified compliant IT Vendor, Andy,” to look into the server issue, Mr. Kappel logged onto the PD server, which is a compliance issue or could be considered unauthorized access. During his time on the server on Sunday, he said that you have a driver that is failing, and I can’t fix it. That is a true statement and has been noted for some time. The hard drive is not failing because of an unauthorized access, but because hard drives age and fail. The hard drive failure is on the main server.
In discussions with Kappel, we asked if anyone pressured, demanded or persuaded him to hand out the PD server passwords. He stated, “no.” We asked him if he was told to hand over the passwords a week and a half ago, as alleged, and he said, “no.” We asked Kappel if anyone was on our server and changed our passwords. Kappel said no one was on the server, and the passwords were not changed.
I asked Kappel how he could confirm this information. He stated that everything would show up on the server log, and that he could have the reports run to evaluate whether anyone was on the server and changed the passwords. After his investigation, he confirmed in an email to me, which is in your packets of information, that no one was on the server, no one accessed the server, and no one changed the passwords on the server.
So, in an email on Tuesday, June 4, 2024, Kappel confirmed with me that no one had committed the act of unauthorized access to the PD Server. The logs are in your report for your review; no one is, was, or has been on the server illegally except Kappel, and no one has changed the passwords. The only time passwords were attempted to be changed was during a phone call from Chief Oyer to Mr. Kappel around 6:15 p.m. last Monday, during which Chief Oyer instructed Mr. Kappel to change the passwords.
Mrs. Breakfield then told Mr. Kappel to hold off on changing the passwords until they discussed it with their lawyer.
Indeed, VC3 is not entirely compliant with the CJIS requirements, but they have been attempting to be since we signed the contract in March of this year. VC3 was scheduled to be onsite to start the onboarding process on April 16, 2024. Before this meeting, there were communications between the current IT company (Atomicx) and the new IT company (VC3) to gather information about the IT system, network, etc. During these communications, Atomicx provided VC3 with all the relevant IT information needed to start onboarding a new company, including passwords, network names and physical locations.
While VC3 was scheduled to be onsite on April 16, 2024, Mrs. Breakfield canceled their visit and halted the onboarding process, which delayed the CJIS certification process. In a text message sent from Mrs. Breakfield to Mr. Andy Kappel on April 15, 2024 at 11:27 a.m. regarding the meeting, she stated, “Just so you know that IT place cancelled (sic) their onsite bullcrap (sic) visit for tomorrow. I sent them a list of demands that has to be met prior to them even looking in our office. You know what we just went thought (sic) on getting compliant with LEADs so that’s not getting screwed up. If something “happens” and this place does not work out would you stay on with us? I do not want to deal with unknown people!! I’ve been complaining ever since they got this ridiculous idea!"
As you can see, the police department has delayed onboarding VC3 for almost two months. While discussing the accusation that whoever accessed our server installed their own software on the PD system, it was determined that no one had installed software on the PD system except for the Door Access control company, which Atomicx and IPS installed. No one installed any new software onto the server because no one accessed the server except for Atomicx.
It was stated that I approached the officer in charge while the police chief was on vacation and asked him to take over the IT process. Sergeant Jay Beatty provided a written statement, which I have included in your informational packet. I also included my response to Sgt. Beatty. In our conversation, I asked Sgt. Beatty, could he look into an issue with a background check card and help me answer the questions on that card? I showed him the email on my computer, which was from VC3 and had a background check card attached with red writing from BCI. It stated there was information missing. I asked him if he knew what that information was. Sgt. Beatty asked me to send him the email, and I did while he was still in my office.
Also, during this meeting, I asked Sgt. Beatty to look into village employee Mr. CJ Kyle's unauthorized access to the PD station. He asked me how I knew this, and I told him I watched Mr. Kyle enter the back door at the police station with a key fob. He informed me that this was not permitted and that he would address it immediately.
I never asked Sgt. Beatty to take over the IT process, grant unauthorized access to the server, or grant access for VC3. His statement proves my comments.
In many discussions with BCI, LEADS Security, Mr. Kappel, VC3 employees, village staff, and police personnel, it has been determined that no one was granted unauthorized access to the PD server. No one changed PD passwords or installed their software on the PD server.
BCI confirmed that nothing criminal had occurred, and LEADS concurred that nothing criminal or illegal had occurred. LEADS confirmed that we have a compliance issue and that we are not currently under any sanctions.
In discussing this with LEADS Security, Mr. Casey Barrett, I self-reported that Mr. Andy Kappel had unauthorized access to our PD server over the past four years. He asked me how we would correct that compliance issue, and I informed him that we planned to get VC3 through the vetting process and have them fully CJIS-compliant before they accessed the PD server. He agreed that these are the proper steps and concurred that once VC3 is certified, they can work in the server room, the PD server, and the police department.
As stated throughout my report, nothing criminal has occurred, and if there had been criminal activity, it should have been reported to BCI immediately by Chief Oyer. If Chief Oyer knew it was not criminal, then why did he bring it before the council before discussing it with me, which is the proper protocol? Either way, proper protocol has not been followed.
Unfortunately, it appears the testimony provided to the Council last week was not accurate. Whether intentional or not, it offered an opportunity to slander me, other staff on the third floor, and a reputable IT company. It also created unnecessary confusion within the community, with some citizens believing their private data was hacked or worse.
I have provided the council with evidence to support my findings, and I encourage you to verify everything I have said this evening.
In conclusion, I will provide notes from my interview with Mrs. Breakfield on Thursday, June 6, 2024.
I asked Mrs. Breakfield if our system was hacked, and she responded that Mr. Kappel had told her, “There was no breach.” Based on the server logs from Mr. Kappel, she admitted that no one was in our system. I asked Mrs. Breakfield, “Do you think I gave out the passwords?” She replied, “I don’t think you gave out the passwords.” Mrs. Breakfield admitted that LEADS was never compromised.
Sincerely,
Todd Wilkin
Greenfield City Manager
Cc: File, Solicitor Hannah Bivens
Pictured below is City Manager Todd Willkin.
Comment
abuse of power
Elected officials in the United States do not undergo background checks prior to taking office due to concerns about fairness and the potential for abuse of power. Perhaps since 2020, fairness and abuse of power is of little concern to power abusers.
server log-ins
"During our discussion with Agent Josh Rammel and finally Agent Kevin Barbeau, it was
determined that the unauthorized access was not a criminal offense and that BCI would
not be investigating the matter since it was not criminal in nature."
"We have reached out to our LEADs contact, and he informed us we do not have any
violations that he could confirm," Wilkin said. "He could not confirm that we had any
unauthorized access. We have requested, and are waiting on a report for all accesses
and log-ins to our server."
Very interesting... , BCI agents Josh Rammel and Kevin Barbeau determined there WAS unauthorized access while the LEADS contact could NOT confirm.
Why should this log-in report take so long to compile? He said "we" but has anyone but the village manager made a request?