TODAY'S PAPER
Good Morning
Good Morning
Long IslandNassau

Concerns about Hempstead data leaks went unaddressed, emails show

Hempstead officials in January started redacting sensitive information

Hempstead officials in January started redacting sensitive information from documents posted on the town website. Credit: Howard Schnapp

Emails show a former Hempstead Town official expressed concern to colleagues in 2018 about data leaks on the town website after finding a consultant's Social Security number posted there, but confidential information about other contractors remained exposed on the site for another 14 months.

Hempstead Town Clerk Kate Murray said last month her staff was redacting nearly 100 such pieces of private information about contractors they found on the site, including Social Security and tax identification numbers, which left companies that do business with the town vulnerable to identity theft. Hempstead spokesman Greg Blower said he was not aware of any identity theft that occurred as a result.

But the emails, which current and former town officials provided to Newsday, show one staffer flagged the issue as early as November 2018, 14 months before Murray became town clerk and her redaction effort began.

Current and former Hempstead officials disputed who is to blame for the delay in addressing the issue, reopening recent partisan divides in the town. Former Supervisor Laura Gillen, a Democrat who lost her seat in November to Don Clavin, returning the traditionally Republican government to near-total GOP rule, blamed the town attorney’s office for the lapse. Town Attorney Joe Ra, a Republican, pointed the finger back at the Gillen administration.

The emails reviewed by Newsday show Ari McKenzie, Gillen’s chief technology officer, wrote to Deputy Town Attorney Albina Kataeva, former Deputy Town Attorney Federico Amorini and Gillen’s counsel Mitchell Pitnick in November 2018 that sensitive information about a consultant was posted in town board documents on the town website.

“Do we have a process or procedure in place for the redacting of [personally identifiable information] in town board resolutions?” he wrote. “I am trying to see where the oversight was.”

In a later email, he expressed concern there might be other data breaches on the site. 

"I am not sure how widespread this issue might be," he wrote. "I am hoping it can be simply limited to this example, however it is something we all agree should be taken very seriously."

McKenzie met with Amorini the next month, and Amorini said he would address the matter with the Purchasing Department, according to the emails and an interview with McKenzie.

“He clearly said he was taking care of it with the Purchasing Department,” McKenzie said in the interview. “I'm not sure what happened after that.”

The next day, Amorini wrote to McKenzie: “I have spoken to Purchasing and I am satisfied that the Town is covered concerning vendor information.”

Unredacted information stayed on the town website for another 13 months.

Amorini, in an email to Newsday, said the only private information he knew of on the site was the Social Security number McKenzie cited, which another staffer then redacted.

"If there were other documents or other vendors with similar concerns, I am unaware of them," he wrote.

Pitnick, in a statement, said: "The Gillen administration identified the issue and attempted to resolve it through the proper, established channels on numerous occasions."

Kataeva did not respond to a request for comment. Ra, who said he was speaking on her behalf, said he did not know why confidential vendor information remained online after McKenzie raised the issue. He said town attorney’s office staffers do not themselves redact documents, but rather offer legal opinions upon request as to whether documents should be redacted.

“It’s the administration that had to take care of it, not us,” he said. “If they didn’t want it there, they got the legal opinion that it didn’t have to be there, they could’ve taken it down.”

Gillen disagreed.

“My administration discovered the problem and at my instruction directed the town attorney to correct it,” she said. “The office — controlled by holdover Republicans — elected not to do so.”

Richard D. Fishman, whose Social Security number McKenzie found on the site, said he was not surprised his private information had made its way online.

"Of course I don't feel good about it," said Fishman, whom the town considered but ultimately decided against hiring as a cemetery consultant. "In today's world, there is no privacy."

Nassau top stories