Experts Say Dallas Police Evidence Loss Was Avoidable

Experts in information technology and cybersecurity said that the loss of at least 22.5 terabytes worth of Dallas police investigative files could easily have been avoided if there had been adequate safeguards to protect sensitive data.

According to City officials, the employee responsible for the missing files had lost data on at least three other occasions. This revelation prompted the FBI to open its investigation into the intentions of the employee. The Dallas Police Department had cleared the employee of intentional wrongdoing.

“I’m disappointed in the lack of controls, disappointed that this happened, and surprised that such a major error could have occurred,” said Dr. Costis Toregas, director of The George Washington University’s Cybersecurity and Privacy Research Institute. “If it was a small community with a part-time IT guy, I could understand, but we’re talking about the City of Dallas.”

Dallas City Manager T.C. Broadnax outlined new policies last month, including the requirement that two IT employees will now oversee any data movement. In addition, a 14-day waiting period will be instituted before data is permanently deleted.

Toregas said that having two employees overseeing the movement should have been the procedure before losing the files. He also said that aggressively managing the directory of people who have access to the data and segmenting data so that large swaths can’t be affected at once are safeguards that should have already been put in place.

Andrew Wildrix, Chief Information Officer of INTRUSION, said the employee must have moved the data from online storage to a physical city drive instead of copying the files, which led to the data loss.

“I would imagine that an organization of that history and size would have had safeguards put in place, but it’s obvious those were ignored,” he said.

A criminal justice professor at Texas Christian University, Johnny Nhan, said the DPD should have used paid “cloud storage services,” which automatically back up data and upload large amounts of footage like police body camera video. He explained that these systems create copies and “multiple levels of redundancy” to data, which helps restore files if they are lost.

“If police departments have a diligent IT department, then that data would be backed up more than once,” Nhan said.

Ed Claughton, Chief Executive Officer of PRI Management Group, said the best way to guard against losing such data is having a two-party validation process. The process requires two people to approve or review each step of transferring or deleting data.