State Senators grilled state information technology officials during a hearing last week, as the officials detailed how thousands of state records were accidentally deleted during server maintenance last month, and what’s being done to prevent a similar incident in the future.
"I want to be very clear from the beginning: This was not a data breach. This was not a hack, and it was not a cybersecurity incident compromising any resident data,” Neil Weaver, Secretary of the Office of Administration said at the joint meeting of the Senate Communications & Technology and State Government committees. "This was an incredibly serious human error that I do not take lightly.”
The Office of Administration oversees IT services at dozens of state agencies. On Jan. 3, an employee accidentally deleted data from 77 servers, leading to what Weaver called a "limited data loss incident.”
The data has been recovered for all but one of the servers, but data for two systems used by the Pennsylvania State Police (PSP) and a system used by the State Employees Retirement System (SERS) were on that server and can’t be recovered.
Weaver was joined by the commonwealth’s Chief Information Officer Amaya Capellan and Chief Information Security Officer Jim Sipe in explaining how the data loss occurred. They declined to give specifics about many of the processes and how exactly the incident happened, citing security concerns about divulging too much sensitive information publicly. But Weaver stressed that there was "no evidence to link remote work with this incident.”
The systems that were deleted included one used by PSP to manage case information and log evidence. The SERS system that was deleted was used for its members to log in. SERS said none of its members’ data was accessed or stolen.
Several of the senators expressed frustration about the way state officials had been notified of the incident— four days after it occurred.
"I think you should have been notified immediately,” Sen. Cris Dush (R-Jefferson) told Weaver. Recovery for the other 76 servers had been successful, but when they failed for the last server, he was notified, Weaver said.
Sen. Kristen Phillips-Hill (R-York) said she had called for a restructuring of the Office of Administration, but her requests were met with resistance.
"For years. I have been saying that the mismanagement of the Office of Administration was creating a vulnerable environment for our state,” Phillips-Hill said. "Mr. Secretary, I would contend that things are not going well. And they haven’t been going well for quite some time. And I think that the mismanagement of our state’s information technology is evident.”
Weaver, who was appointed to his current role in January 2023, said he was brought on by the governor to make sure the organization did not operate as it had been.
"I’ve committed to turning this around,” Weaver said. "It is a huge, mammoth, Herculean effort to do that.” He added that a reorganization was underway so the OA "will not be anything like it looks now.”