SHARE
Veteran information, ODVA
Oklahoma Chief Information Officer Jerry Moore speaks to the Veterans Commission on Wednesday, Feb. 15, 2023. (Tres Savage)

The state’s chief information officer told members of the Oklahoma Veterans Commission on Wednesday that six databases maintaining veterans’ personal identification information are being managed on a site outside the state network, in violation of the law and at an expense paid by the personal credit card of a Department of Veterans Affairs employee.

Jerry Moore, Oklahoma’s CIO since 2020, said an investigation last year has given his office serious concerns about an ODVA system housing six datasets on a third-party server, something he told commissioners could put the security of Oklahoma veterans’ personal information at risk.

“We believe at this time that these databases contain transaction information between federal and state veterans agencies, including past and current veterans’ personal identifiable information,” Moore said.

Moore said the types of veteran information located on the unidentified server include names, addresses, Social Security numbers, driver’s license numbers, phone numbers, disability percentages and business details.

He named six datasets or databases:

  • Veteran-owned business systems database
  • Veterans employment opportunity database
  • Technical assistance systems database
  • State approving agency activity reporting database
  • Check it meta-system database
  • Program review system database

Moore said he has been unable to investigate the situation further without certain approvals from embattled ODVA director Joel Kintsel, who has clashed with his agency’s governing board and refused to attend Wednesday’s meeting and a prior Feb. 3 meeting.

“[I] put director Kintsel on notice that we feel like we have discovered this and we need action taken,” Moore said.

At this time, Moore said he does not know where the servers housing the ODVA program databases are located, but he does know that hosting services are being paid for by an ODVA employee’s personal credit card. Moore said he could not answer whether a private company or an individual possesses the servers.

“We have no ability to continue our investigation because it is privately managed,” Moore told commissioners. “The state has no rights. We don’t have admin rights to it. We see it. We know it exists. We see traffic going to and from it, but we have no ability to get into it to determine if it has been compromised.”

Reached Wednesday afternoon by phone, Kintsel said the database issue raised by Moore is “a red herring.” He provided NonDoc with his 12-page response to the Office of Management and Enterprise Services inquiry, which listed 15 alleged instances “where ODVA systems are not in compliance with state standards”

The OMES allegation regarding the datasets claims that Brint Montgomery, ODVA’s state approving agency administrator, manages the datasets in question:

Six tables (all housed within a single database) were created by and stored in a private server, managed by Brint Montgomery to use by ODVA’s programs (SAA, OKVetWorks, OKSteps). Consistently, we recommended moving the information to the state platform and the Hub & Spoke, yet so far unsuccessfully.

An Amazon author profile for a book edited by Montgomery regarding “relational theology” states that he “has been teaching logic and philosophy at Southern Nazarene University since 1995. He has interests in open theology and, more generally, in metaphysical matters concerning mind and free will.”

The response provided by Kintsel says “OMES is misinformed” about the hosting of the datasets

“The Oklahoma Veteran Owned Business System data was indeed transferred successfully to the state hub system,” the response states. “Other data tables are used as [State Approving Agency] transitionary data and are duly transferred to stipulated federal VA systems via the approved Citrix environment upon completion of approvals, compliance reviews, and quarterly reports per the standards outlined in the SAA Annual Cooperative Agreement.”

The answer concludes: “OMES possesses no organic expertise with these systems and there is no need for OMES to be involved in this process.”

Moore said his office is “culling through” Kintsel’s Feb. 3 response.

“A lot of it is that ‘there’s nothing here,'” Moore said. “We’re going through his barrage of information that isn’t associated with, really, the issue at hand. Most of it is that there’s kind of nothing to see here and there’s no issue.”

An Oklahoma Department of Veterans Affairs response to an Office of Management and Enterprise Services inquiry outlines six databases allegedly managed outside of the state’s computer network. (Combined screenshots)

OSBI: No request to investigate yet

Moore told commissioners that the use of a private credit card to purchase state information technology services “actually violates state statute.” However, Moore said his office has not taken steps to shut down the database system.

“The reason we haven’t done that is that we believe — because we see ODVA employees interacting with the system — that it is an integral part of current business operations for ODVA and therefore crucial to delivering services,” Moore said.

After his presentation, Moore declined to say whether the database matter had been referred to law enforcement.

But Brook Arbeitman, public information officer for the Oklahoma State Bureau of Investigation, said Wednesday afternoon that OSBI had not received a request for engagement on the ODVA database matter.

During Wednesday’s meeting, Commissioner Scott Sweeney questioned how the situation could be ameliorated, but Moore called it an employment matter to address with Kintsel, ODVA’s director. After the meeting — which featured no action on Kintsel’s employment — Sweeney expressed frustration with the CIO’s answer.

“I don’t think that we got a satisfactory answer other than it’s a personnel decision at that point, and we tabled any potential personnel action,” Sweeney said.

Commissioner Daniel Orr asked whether the unauthorized and external database poses potential problems for the state’s relationship with the federal government, which administers veteran benefits.

“I would expect that it puts your accreditation at jeopardy if we were to find indication of compromise or if there were audit findings that were not being remediated,” Moore said. “Most federal entities would consider that as part of their accreditation.”

Veterans Commission Chairman Robert Allen called the situation “very disturbing.”

“Right now, it seems that [the agency’s] mission has been compromised and could be further compromised were we to be in jeopardy of losing our accreditation,” Allen said.

Allen said commissioners have a meeting with State Auditor and Inspector Cindy Byrd later this month to discuss a potential audit of ODVA’s finances.

Orr, who was appointed to the commission by Gov. Kevin Stitt in January, said commissioners need additional information as it becomes available.

“I would like to see a report of this cyber breach — the entire report — at some point in time because this is still open,” Orr said. “Veterans’ information is still compromised and continues to be potentially compromised. We would like to end this as soon as possible.”

Secretary of Veteran Affairs and Military John Nash said “commissioners asked difficult questions and have received no answers.”

“The information we learned from the state CIO regarding ODVA’s use of a third-party website and its handling of veteran [personal identifiable information] is concerning,” Nash said in a statement following the meeting. “I plan to reach out to attempt to resolve this issue and to request that the administrator of this site immediately cooperate with state cybersecurity professionals to bring this practice to a halt until the site can be brought within state security protections and protocols.

“We want all veteran information to be protected in accordance with state statutes and guidelines. I am sure all veterans and Oklahomans would agree.”

Commission avoids executive session on Kintsel’s employment

From left: Vice Chairman Sid Ellington, Chairman Robert Allen and Commissioner Brett Martin speak with media after a Veterans Commission meeting Wednesday, Feb. 15, 2023. (Tres Savage)

Although Wednesday’s agenda featured a proposed executive session to discuss “the employee performance and conduct of Joel Kintsel related to the current workplace environment,” commissioners did not enter into executive session, and they took no action on Kintsel’s employment.

Asked at what point Kintsel’s refusal to attend the current commission’s meetings jeopardizes his employment at the agency, Allen said an inflection point is “imminent.”

“I think that the writing is on the wall. I think it is imminent. I think it needs to happen immediately,” Allen said. “I don’t think any of you would think I was honest if I said otherwise. He needs to come on board and comply and subject himself to the oversight of his governing body immediately.”

Allen’s appointment to the commission by Stitt has been challenged in court by the Military Order of the Purple Heart, and Kintsel has said he views the commission as illegitimate owing to the statutory question.

But Allen said Kintsel could be terminated if he continues to refuse engagement.

“I think that would be the logical consequence of an employee that is denying their supervisory board the ability to supervise them,” Allen said. “What other logical outcome would there be? I’m not saying that is what we are wanting or desiring, I’m saying that would have to be the logical step.”