TARRANT COUNTY, Texas — The Tarrant County Appraisal District (TAD) released a doozy of an update Friday about the recent data breach within the district’s information systems.
When the district originally announced there was a security breach in October 2022, it said it didn’t believe taxpayer information had been exposed. On Dec. 15, however, TAD Chairman Tony Pompa said a third-party information technology firm Apollo had found "some significant vulnerabilities in our network."
The appraisal district is responsible for appraising property values for tax purposes in Tarrant County.
"On November 10, we initially received what we believed to be the final findings from [TAD board attorney] Matthew Tepper and [systems security company] Apollo concerning the investigation into whether the Tarrant Appraisal District system had been hacked," Pompa's update read. "At that time, we reported no evidence of a hack, but Apollo did uncover some significant vulnerabilities in our network. Subsequently, we requested Apollo to conclude the investigation and shift focus to securing our network.”
That new information, Pompa added, surfaced in the form of tips from "concerned individuals" -- and, in response, the board directed Tepper to further investigate and engaged Apollo once again for a thorough analysis.
Pompa's statement was issued after realtor Chandler Crouch posted on his blog that he believed the true extent of the data breach was covered up.
In his own statement, Tepper said his investigation is still ongoing, and some of its findings could be available during the board's Dec. 21 meeting.
It’s not clear how much of the report will be shared with the public, said Tepper. The decision will be based on whether any information compromises the district’s cyber security, he said.
The board has also been searching for the next chief appraiser, following Jeff Law's resignation. Law resigned a week after his boss TAD director Cal Wood was fired after comments were made public indicating that he was OK with misleading the public. A whistleblower secretly recorded Wood in August telling staff he is "OK with creating a false narrative that distances the truth from the media."
In Tepper's statement, he provides an alternative explanation as to why Wood would say that.
"We could not conclude what false narrative Cal Wood created for this Board, the media or the public," Tepper said. "A false narrative could have been created to hide the deficiencies in a system that Wood was responsible for overseeing. Similarly, a false narrative could have been created to hide the ease with which TAD’s data could have been accessed in October of 2022, to prevent bad actors from trying to access the confidential information."
Tepper also discovered a text message thread from October 2022 involving members of TAD’s Information Systems department. In it, employees shared a link to a publicly available database containing a variety of TAD passwords. In the thread, Cal Wood responds that, if those passwords are available, that “means all taxpayer info are exposed.”
The next day, the department took down the webpage and replaced it with a more secure webpage.
"This information demonstrates that there were significant vulnerabilities in TAD’s systems that would have allowed access to confidential taxpayer information," Tepper said. "However, there is no evidence of an actual compromise of any taxpayer information."
Another factor Tepper said makes it difficult to find evidence of a breach is how much time has passed.
Certain logs on TAD’s systems were overwritten over time, and there's a possibility someone could have intentionally deleted logs that revealed confidential information was compromised. In the same text thread, Wood asked the other members of the Information Systems department if they had "erased footprints."
The TAD board is expected to decide on a new Chief Appraiser during Thursday's meeting at 2500 Handley-Ederville Road.