The vice mayor and town manager of Purcellville, Virginia, are apologizing for a data breach affecting almost 2,000 people and expressing regret for the way they informed town residents that their personal information might have been exposed.
In an emergency session Saturday, the town council sorted out what they knew about the data breach as well as the manner in which affected people were informed that their privacy may have been at risk.
Vice Mayor Tip Stinnette opened the meeting with an acknowledgment that the situation wasn’t handled well: “I’m sorry. We collectively could have, and should have, done a better job in rolling this information out to the community, on the data breach. So, for that I apologize,”
In the meeting, Town Manager David Mekarski said the town’s 2017 investigation into its own police chief, Cynthia McAlister, contributed to the data breach.
McAlister was fired, but rehired after an independent investigation determined the town’s probe and firing of McAlister was without merit.
However, during the turmoil, a data memory stick containing McAlister’s emails was never recovered. The memory stick contained confidential information on approximately 1,800 people.
Contractors hired by the town recently sent letters to people whose personal information might have been exposed, but the format of the letters led many to question their authenticity.
“We essentially gave the contractor, McDonald Hopkins, town letterhead. They took the town’s letterhead, put their notification information on it, with their address and contact information, and sent it out to the community,” Stinnette said. McDonald Hopkins is an out-of-state law firm.
“So, you can see why the community might be a little confused because they’re getting something with a personal masthead that is actually from a contractor.”
In a letter to the council received the day before the emergency session was called, town manager Mekarski shouldered much of the responsibility.
“The critical failure in this process was not providing the council with advance notice of this letter and the circumstances surrounding it. For this failure, I take full responsibility. You have both my personal and professional apology for the embarrassment and confusion that this letter has created,” he said.
In Mekarski’s letter, which Stinnette read aloud during the emergency session, he said the intent of the program was to protect individuals who conducted business with the town and could be at risk. To date, Mekarski said, they have no evidence that any of the 1,800 people at risk had actually had their security breached.
“Our job, as custodian of their personal information, was to ensure that the aberrant behavior that inflicted the town administration would not victimize other innocent individuals,” Mekarski wrote.
Stinnette said the data breach and public notification would likely be discussed at Tuesday night’s scheduled town council meeting.