Central Arkansas Water spent more money on a college degree of an employee than they did on data security
On July 13th, our Russ Racop received a text message purportedly about a past due water bill. As he has not associated his personal cellphone number with any Central Arkansas Water ("CAW") account he thought it was a scammer and made an appropriate response.
Racop had received a phone call from a scammer a few days before.
Scammers often use spoofed local numbers.
Spoofing is when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their actual phone number.
The number used by the scammer is a number tied to LRPD Communications.
Racop called the number that sent the text message thinking it would be a non working number. He was surprised when it rang and connected him to CAW.
A little while later, Racop used a stand alone computer to access the link supplied in the text message, in the event that a scammer had spoofed the CAW number.
This is what he saw on the computer monitor.
In in field that asked for an email address, Racop typed firstname.lastname@example.org.
Much to his amazement this screen popped up.
|Redactions made to protect identity of customer|
Racop was amazed that CAW was not using two-factor authentication to protect access to customer accounts.
Other water companies use two-factor authentication to protect access to accounts.
The water company in Philadelphia, PA requires account number and service zip code.
In Baltimore, MD you have to enter the account number and street address of the service location.
Closer to home, the city of Jacksonville, AR requires a user ID and password.
Racop had a theory.
CAW was not spending a lot of money to set up its online payment system or secure access to account information if an individual had not set up an online account.
Racop tested his theory. On the CAW payment page he input random numbers in the account field. Each time he used the email address email@example.com.
Voila! Racop was correct. He could view statements for CAW customer that had not set up an online account to make payments simply by inputting a random number and using firstname.lastname@example.org as an email address. Racop found that if an account had a zero balance, the account number was not shown.
Racop reached out to CAW to make them aware of the situation, provided unredacted images of several accounts to show the flaw in their payment system.
What CWS stated in the email was false.
You did not need the account number and zip code to access an unregistered account on their online payment system as Racop had shown they did not employ two-factor authentication.
Racop checked the site and found it was not "paused" and he provided proof to CAW.
Instead of thanking Racop for pointing out the vulnerability, they made threats and implied they were going to have him arrested for pointing out their failure to protect customer data.
The CAW shyster, David Johnson, did not specify which laws were allegedly violated. No surprise, he got that job as he is a former state legislator (Good Ole Boy System).
Johnson did not want his photo used on the CAW website.
However a quick Google search produced it.
|David Johnson - CAW Shyster|
Now here comes the part of our story that will show that CAW spent more money for a college degree of one of their employee's, Chelsa Boozer, than they did on data security.
Boozer current position at CAW is Government Affairs Manager. She was initially hired as a Media Specialist.
Records obtained under the Arkansas Freedom of Information Act revealed that CAW used over $60,000 in public funds to pay for a graduate degree for Boozer.
Boozer even was featured in a video produced by the school.
When Boozer was an undergraduate college student she was on the school newspaper staff. She wrote a story criticize Student Government Association members that got a free tuition due to holding that position.
A word comes to mind... hypocrite.
Boozer had a hard on for sex offenders and went after them.
When she was a reporter for the Arkansas Democrat-Gazette, she targeted employees at Little Rock City Hall.
Boozer got around 12 city employees fired, including Thomas James Lovelady.
The Lovelady case was sketchy as a witness later recanted their statement made to police that led to his conviction.
Boozer hounded Lovelady to the point that he hung himself at Pinnacle Mountain State Park.Boozer was once a witness in a lawsuit and was questioned about her ethics as a reporter.
In addition to questionable ethics, Boozer flaunts violations of the law with impunity.
Boozer is a public employee and uses her personal Twitter account in connection with her public employment.
Arkansas and National courts have ruled that public employees and public officials cannot block constituents from their social media account as it's a First Amendment violation.
Yet Boozer has blocked us from viewing her Twitter feed.
Another word comes to mind... scofflaw.
Boozer also was involved in CAW shutting off water to Big Country Chateau because of an unpaid bill even though they knew tenants rent included payment for water. Making the tenants go without water was unconscionable.
But wait we have more...
Boozer obtained an Arkansas Marriage License for a covenant marriage here in Pulaski County in 2015.
However, it was illegally used in Tennessee by an individual that was not licensed or sanctioned to officiate or perform a marriage in the State of Tennessee.
Check out this link for additional information: https://theamm.org/articles/1384-can-you-use-a-marriage-license-in-another-state
Legally speaking, that was a sham or invalid marriage as an Arkansas Marriage License is only valid for a marriage to take place within the boundaries of the state of Arkansas. And even if you could use that license in Tennessee, the officiant was not licensed to conduct a marriage in the State of Tennessee compounding the offense.
The Pulaski County Circuit Clerk just files the license, they don't give a flying fuck whether its valid or not.
In 2020, Boozer was involved in a divorce proceeding.
It is our opinion, and that of attorneys we have consulted, they were not legally married. However, for shits & giggles, lets assume that they were legally married with a covenant marriage.
You can only obtain a divorce in a covenant marriage in Arkansas only if proof of certain acts have been committed.
Boozer's husband filed for a divorce so we can assume that he was the innocent party and she did something that would allow him to obtain a divorce under the Arkansas Covenant Marriage Act.
Boozer denied she has committed any act that would allow them to divorce.
The Court granted the divorce.
What proof was provided by her husband?
There is no record of that.
We have something to further investigate on based on a tip a reader emailed us, but that will be the subject of a future story.
This isn't the first time a government entity has attempted to gaslight Racop and use threats to try and prevent him from exposing failures in data security and privacy.