Attention Readers: We're Back
C&G Newspapers is pleased to have resumed publication. For the time being, our papers will publish on a biweekly basis as we work toward our return to weekly papers. In between issues, and anytime, continue to find local news on our website and look for us on Facebook and Twitter.

Board denies request for independent IT audit

By: Alex Szwarc | Macomb Township Chronicle | Published July 7, 2020


MACOMB TOWNSHIP — Residents and township officials alike had questions regarding how and why certain software was installed on an employee’s workstation.

An item of much debate at the Macomb Township Board of Trustees June 24 meeting was a request to hire an independent information technology firm to perform an audit of an unauthorized computer program installed on Clerk Kristi Pozzi’s workstation.

In a 4-3 vote, the board determined it wasn’t necessary to perform the audit.

Trustees Charlie Oliver, and Kathy Smith, Supervisor Janet Dunn and Pozzi voted to deny the audit. Trustees Tim Bussineau and Nancy Nevers, along with Treasurer Karen Goodhue, were in favor of an audit.  

The issue was added to the agenda by Bussineau, who alleged there was a data breach at Township Hall.

An October 2018 email from Beth Case, BPI Information Systems president, to Macomb Township Supervisor Janet Dunn states that BPI, which services the township’s information technology, discovered an authorized remote monitoring and management software package called “Auvik” on Pozzi’s Macomb Township computer.

The email continues that the software typically requires network administrative credentials and that BPI didn’t know how the software was loaded or installed.

BPI’s concern was that the software was conducting internal scans of the data network, then sending results to an external web portal in Ontario, Canada. It also considered the activity a threat to the township’s information systems.      

“The breach targeted sensitive data that is housed on the township network, was sent to a server outside of the country and possibly used for political purposes. This sensitive data includes resident information,” Bussineau said.

In 2018, BPI contacted Auvik, who confirmed that Fore-IT installed the software for the township.  

Bussineau said the reason he is revisiting the topic, after it was first addressed in 2018, is because it was also mentioned at an April loudermill hearing when the clerk’s office refused to address the issue. April was the first time Bussineau heard of the issue.

At the meeting, Bussineau said not knowing who installed the information system is his concern.

“It’s not a virus, not malware,” Bussineau said. “I don’t want our IT consultant to have to fear like they have to frame a narrative simply because it is an election year.”   

He said he’s learned that if the installed program had access to citizens’ credit card information, then a report of the breach would have to be done.

At the meeting, Case read an email she sent to the board following Bussineau’s request to add the agenda item.

Case read that the conclusion of BPI’s 2018 incident report revealed that a software package was installed.

“Although the software is not malicious, it requires privileged township credentials to install,” Case said. “Our investigation determined the software did not deem a threat.”

She said there was no reasonable concern that the network or its data was breached.  

Case told the board that credit cards were not jeopardized, and the software had no access to corporate data.     

Pozzi said BPI’s contract with the township expired in 2018 and was told that BPI was overcharging and underserving.  

“I knew someone in the IT industry and asked how I could better educate myself to find out if it was factual,” she said.

Pozzi told the board the software that was suggested allowed her to verify the network’s health and performance. Shen then researched to see if BPI was performing the necessary maintenance per the contract prior to voting to extend the contract.

In the December 2018 vote to award a three-year contract for technology sourcing services to BPI for $568,800, Pozzi cast the only “no” vote.

Dunn said the incident was two years ago and no data has been corrupted in that time.

“It is an unneeded expense and I don’t even know what it would cost,” she said.

Also at the meeting, the board approved to award a $118,050 master plan update planning services contract to Carlisle/Wortman Associates.

Carlisle/Wortman currently is the township’s planning consultant.

“Updating the master plan is advantageous for the township and is a bit overdue,” Planning Director Josh Bocks said. “It serves as a policy document to look at ordinances and regulations, and to see how the township is developing.”

Bocks added that updating the master plan is a four-phase endeavor. He expects it to take about eight months to complete.