In Florida, the site of recent mass shootings such as at the Stoneman Douglas High School and the Pulse nightclub, more than a year went by in which the state approved applications without carrying out background checks. This meant the state was unaware if there was a cause to refuse a licence to allow somebody to carry a hidden gun – for example, mental illness or drug addiction.
The reason is dismayingly banal: an employee couldn’t remember her login.
The login is for the FBI’s background check database, or National Instant Criminal Background Check System (NICS).
The database was created in 1993 by the FBI and the US Bureau of Alcohol, Tobacco, Firearms and Explosives. States and firearm retailers can use it to check on the criminal and mental health history of those who want to buy a firearm, including their histories in other states. The database flags applicants who’ve served more than one year in prison, have been convicted of drug use in the past year, are undocumented immigrants, were involuntarily committed or deemed to have a “mental defect” by a court, or who were dishonorably discharged from the military.
As the Tampa Bay Times reported on Friday, a previously unreported investigation from the Office of Inspector General (OIG) found that the employee in charge of the background checks was rubberstamping applications without checking applicants’ backgrounds.
The investigation found that the Florida Department of Agriculture and Consumer Services stopped using the FBI’s crime database in February 2016 when the employee, Lisa Wilde, couldn’t log in. She was the only one who regularly used the database, with the exception of a mailroom supervisor who was “barely trained” on the system.
It only came to light in late March 2017, when an OIG staffer noticed that she wasn’t receiving concealed weapon license (CWL) applications from anybody who’d been turned down – a situation that was “unusual,” she said. When interviewed, Wilde said that she’d had a login issue with the database but hadn’t followed up to resolve the problem.
Not only that, but colleagues “consistently” reminded her that the NICS database was supposed to be checked daily. She ignored them – at least, she didn’t respond until March 2017, when she said that to her mind, the NICS responsibility shouldn’t belong to her department.
In interviews with investigators, Wilde acknowledged that her actions were negligent and that she “dropped the ball”:
I know I did that. I should have been doing it and I didn’t.
But on Friday, Wilde told the Tampa Bay Times that she could’t figure out why she’d ever been given the duty in the first place: she was working in the mailroom when she was given oversight of the database in 2013.
I didn’t understand why I was put in charge of it.
Over the course of time that Florida didn’t check the database, the state has been fast-tracking CWL applications, and its politicians have been bragging about how many licenses to conceal weapons it’s issued as well as how speedily they’re getting approved.
In 2012, Agriculture Commissioner Adam Putnam held a media conference to celebrate the issuance of the 1 millionth CWL, noting that since he’d been elected two years before, the time it took to process an application fell from 12 weeks to 35 days. According to the Tampa Bay Times, Florida now has 1.8 million concealed weapon permit holders.
The shootings at the Pulse nightclub, which left 50 dead, occurred during the time that Florida’s background checks had lapsed, though the shooter acquired his firearms license before that time.
On Friday, Wilde told the news outlet that her department was overwhelmed by the number of applications and the pressure from supervisors to speed up processing.
Within hours of the Tampa Bay Times having published the story, Putnam’s office reached out to say that once it learned about the background check lapse, it “immediately” reviewed 365 applications and revoked most of them: in all, 291 concealed weapons permits.
Putnam’s office said that “a criminal background investigation was completed on every single application.” The Agriculture Department spokesperson echoed that statement, telling the Tampa Bay Times that it conducted background checks using two other databases, the Florida Crime Information Center database and the National Crime Information Center database.
You know what would have helped in this case? A password manager.
They don’t just store passwords, after all – they also store user names, which can be an enormous help when dealing with the strings of similar looking characters such as L, l, I, I and 1, at the root of so many help desk calls. They even help with phishing, because they won’t automatically enter your credentials into the wrong site.
We’ve been banging the drum for password managers for years now, and we’ve written about some that are pretty easy to use. I guess Wilde isn’t a Naked Security reader.
Laurence Marks
Lisa wrote “You know what would have helped in this case? A password manager.”
You know what (probably) wouldn’t have worked in this case? A password manager. Government (and enterprise/institutional) systems are administered by an IT department. The user does not have authority to install programs including firewalls, AV, and password managers.
Mark Stockley
It would still have helped though, right?
IT Guy
But the IT department would have that authority and IF requested could well have fulfilled that need.
Epic_Null
As someone who is technically a state employee and who works IT, I feel it is important to point out that browser addons are not the same as normal programs. You do not have to be a member of IT to add things to the browser unless that has specifically been locked down, and even then – you can use LastPass as if it were a website. The only missing factor here is someone authorizing its use.
TM
I use a password manager. I don’t have to install anything…I mean I can, but I don’t have to.
Anonymous
Another Lisa Vaas special, including the misleading title and sensationalism and missing key facts. Your biases are showing!
Mark Stockley
That’s my title, not Lisa’s.
Lisa Vaas
I keep telling you, Mom, the editors don’t let me acknowledge you as the only person worth listening to in my headlines. :-)
mike@gmail.com
The shooter would have passed the background check anyways, no background checks didn’t stop being processed, and additionally the department described in this article does not contribute a significant number of entries to the database. Who-ever wrote the title has an agenda, and it isn’t being an objective journalist. What was the point in even mentioning the Pulse shooting, since there is no actual link between the two stories? You admit that people were denied CCP/CCW permits in the article, but the title itself suggests that background checks weren’t running! Come on!
Paul Ducklin
It’s Florida, so they’re CWLs, not CCPs..
…but more pertinently, my assumption about why the author mentioned the recent shootings in Florida is that after something of that sort had happened you might assume that things like background gun checks would get, well, checked up on and would therefore be less likely to go unaudited, making the situation that arose here even more lamentable.
The story here isn’t really gun control (a topic that surprises Europeans by being so darn controversial in the USA, given that it doesn’t seem enormously difficult to acquire a legal handgun even in the more restrictive and bureaucratic States), but rather the cybersecurity “holy trinity” of policy/procedure/validation.
There’s no point in having a security policy if the procedure doesn’t provide any way for helping to make sure it’s followed and there’s no point in having a procedure to follow if no one checks that it’s being followed correctly, or waits so long to check that it’s pretty much too late (as in the case of that massive Yahoo breach).
It’s like keeping server or firewall logs – if you never look at them except to delete them, then don’t bother keeping them in the first place! You are just giving yourself a false sense of security by pretending to do something useful…
To me, that is the moral of the story here.
You can assume some kind of gun control agenda if you like – I didn’t write the article and I don’t know the author’s opinion on private ownership of firearms -but there’s a bigger, broader issue here that probably has a lot of organisations with formal procedures they never check up on going, “Hmmmm. Maybe *we* should do a security policy/procedure audit, just like the Florida Public Service.”
I’m kind of blind to hidden agendas in this particular story – I live in the UK and gun control has pretty much been a done-and-dusted deal here for decades, while the problem of poor attention to detail in cybersecurity is a clear and present danger.
If you unbanned handguns in the UK tomorrow it wouldn’t do anything to make my data more secure :-)
Pete in Seattle
I just got my CPL (concealed pistol license) renewed in under 2 weeks, complete with NICS. I live outside of Seattle however. You have to wonder why the Florida process takes 12 weeks… You’re right on about the password manager. Probably 75% of all my service calls these days are password-related. Cheers.
ejhonda
Of course they’re going to revisit all those illegally issued permits,right?
Paul Ducklin
According to the article, that’s happened (a significant number were revoked, presumably pending a re-check).
Pauline
Oh PLEASE!!!! The fault really lies with the employee (who should be FIRED) and the state of Florida for not training their employees properly! And if her co-workers noticed she wasn’t running the checks, where was her supervisor? He needs remedial training too. And don’t tell me NICS doesn’t have a button for “Forget your password?” Practically every website does.
plugh
From her response, “I didn’t understand why I was put in charge of it,” I don’t think a password manager would have helped.
TM
not understanding but knowing you have a responsibility? what happened when she was off work? who else took this role and yeah, who is her manager? sounds like a department run by Mr Bean….
Slow Joe Crow
The Tampa Bay Times grossly exaggerated and misstated what happened. Florida carry permits are run through the state’s own background check system and the NCIC and only denials and flagged applications go to NICS, hence the rarity. The actual number of improperly issued permits was around 250-275 which were promptly revoked.
This still makes Lisa Wilde’s behavior inexcusable but nowhere near as bad as the click bait headlines made out.
Paul Ducklin
Actually, the number you seem to imply we concealed (no pun intended) is stated right in the article: 291. It’s also clearly stated in the article that the permits weren’t issued without any background checks at all, just that a check that was supposed to happen, and that the records show happened…
…did not, and for a year no one noticed.
If you were responsible for publishing a software product, say, and the programmer in charge of quality assurance signed off that its standard pre-release tests had been passed when they hadn’t even been run, you’d want to revisit both the process and the policy that allowed a flawed process to last unnoticed for a while year, would you not, even if you had issued only 2 or 3 updates in that time, let alone 291 of them?
mike@gmail.com
Don’t write sensational politically driven headlines and stories, and then people won’t be confused when they actually fact check them!
Paul Ducklin
You mean, when they check them and discover that the facts are correct :-)
Claude
Incompetent government at its worst. Fire them all, take away their unearned pensions and start over.
Greg Hewitt-Long
This article does not make it clear that these were not background checks on gun purchases, but instead checks on issuing Conceal Carry Permits.
Paul Ducklin
To be fair, it’s stated right in the first paragraph: “[The skipped checks meant that] the state was unaware if there was a cause to refuse a licence to allow somebody to carry a hidden gun.”
Elsewhere in the article we refer to CWLs, short for Concealed Weapon Licenses. (The application form and the permits issued in Florida officially use the words “Concealed Weapon or Firearm License”.)
The real point is that that official documents were issued with no peer review, and that the process was not audited for a whole year.
Lack of simple peer review for important bureaucratic steps is a huge problem in many organisations – it’s how CEO/CFO fraud, also known as Business Email Compromise or Whaling often works. Cybercrooks persuade a staff member to rubber-stamp a change in bank account details for a major creditor and the next big payment goes straight to the crooks instead.
mike@gmail.com
I agree it isn’t clear and a lot of that seems to be from the title, and the way the article is writting. Jumping around from topic to topic and not following through the process or the facts logically or honestly.
Steve
More fake news. Reduces my esteem for Sophos considerably.
Paul Ducklin
Considering that the Agriculture Commissioner (they look after weapons permits) in Florida is widely reported as stating that “this is an issue that as as soon as we learned about it we acted upon it”, and that “we are talking about a very important process for the concealed weapon license process”…
…you’d be forgiven for assuming that this “fake news” was, in fact, entirely true.
Sometimes, life really is stranger than fiction.
mike@gmail.com
This is not a security issue, it’s hardly a tech issue, what it definitely is though, is a political one. Maybe stay out of politics unless you want to run for office?
Paul Ducklin
“I can’t remember my login so I’ll falsify official records” sounds like a cybersecurity issue to me. When you require someone to use a secure computer system to do their job then you need to make sure they can, do and will use it (and if they can’t thenyou need to whether the reason is that the system is poorly designed).
If you’re so keen on politics maybe *you* should run for office – but if you do, take a healthy attitude to cybersecurity with you!
Lateral
Fake comment.
Boat
Sounds like a simple phone call for a password reset would have done the trick. Heres my 25 cents
s31064
I have to side with Lisa Wilde on one point. Why in God’s name was a mailroom person, someone hired to make sure snail mail gets routed to the correct people in the building as well as the highly secure task of putting outgoing mail where the USPS can pick it up actually given this job in the first place? Why not have her run IPS checks on the firewall too?
The government mindset just amazes me sometimes.
Tim Johnson
Florida’s over here giving away CWL’s like Oprah!
mike@gmail.com
CWL/CCP/CCW have been shown to cause violent crime to decrease, so maybe that’s a good thing?
RR
Is she trying to say she couldn’t understand the importance of this responsibility no matter her feelings as to why it fell upon her shoulders? She should have brought this to the attention of her supervisor in the beginning… but I use ‘supervisor’ loosely as no supervision is evident with a whole year lapse, from my view of this anyway. Something tells me even lunchtime rated a couple steps up on the priority list than this job.