Oops.
Looking for a mail-order Russian bride or wondering how to order a school term paper online? Or maybe you want to improve your slot machine skills by playing online casino games. The city of Houston’s official website for news releases has you covered.
The page on Wednesday morning featured a spate of blog entries on a variety of confounding topics that were decidedly unrelated to City Hall. They were taken down by the afternoon, after the Houston Chronicle inquired about them.
The source of the blog entries, many of which were nonsensical, was unknown Wednesday. Mary Benton, the city’s communications director, said she alerted the information technology department to the posts. The listed author on the articles, a housing department employee named Ashley Lawson, did not actually write and post them, Benton said.
The entries appeared on the city’s news site, cityofhouston.news, a WordPress blog that does not share a domain with the city’s primary website, houstontx.gov.
Christopher Mitchell, the city’s chief information security officer, said no city information was compromised.
“We were recently made aware of improper posts appearing on a blog site utilized by the city to allow individual departments to post departmental content,” Mitchell said in a statement. “The blog site is hosted on a third-party platform and is not connected to any City of Houston enterprise systems. At no point did the city experience a compromise of city systems, data, or information. The origin of the posts was from an active account that was no longer in use, and the city is taking all necessary precautions to correct the issue and prevent a recurrence.”
The posts, often in broken or garbled English, had appeared at least 29 times since Sept. 13, displayed as “uncategorized” entries among more routine posts about police and fire investigations and where to get a flu shot.
Yeah, from a cybersecurity perspective this is (most likely) more of an embarrassment than a breach. It’s a good reminder of why obsolete accounts should be routinely deleted, or at least disabled. There are simple ways to monitor for this kind of activity – even fairly low-tech solutions, like automatically emailing new post notifications to an admin, are worthwhile – and I suspect the city will be doing that in the future. If you have to experience a public cybersecurity failure, there are much worse ways to do so. Please take this relatively painless opportunity to learn from it.