After police raid on COVID-19 whistleblower, it’s revealed password was publicly posted on Florida Department of Health’s website

Same username and password was shared with all employees… and the entire internet.

Graham Cluley
@gcluley

On the latest “Smashing Security” podcast, special guest Anna Brading told us the story of Rebekah Jones – the architect of Florida’s COVID-19 dashboard, who was fired after refusing to follow requests to manipulate the data for political purposes.

Jones’s home was raided and searched by armed police earlier this week, after authorities claimed she was the person responsible for using a state emergency-responder system to send a message to some 1700 personnel.

Sign up to our newsletter
Security news, advice, and tips.

The message urged recipients to stand up to pressure from their bosses to hide the full picture of how the pandemic has impacted Florida residents:

“speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be a part of this. Be a hero. Speak out before it’s too late.”

Jones has denied having anything to do with the message or the unauthorised access to the emergency system, and has shared a video of the raid on her home:

Now it has been revealed that not only were the same username and password shared by all state employees with access to the emergency alert messaging system, but also that those login credentials were actually posted on the website of Florida’s Department of Health.

Umm.. regardless of who might or might not have sent the message that started this whole furore, it doesn’t sound like the state of Florida was taking password security seriously.

Passwords should not be shared. Passwords should not be posted publicly on websites. Passwords should be changed when people leave your organisation. Passwords should be unique, impossible to guess, and difficult to crack.

You can hear more about the background on this case on the latest “Smashing Security” podcast:

Smashing Security #208: 'Hidden treasure, COVID tracker trauma, and happy holidays with IoT'

Your browser does not support this audio element. https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/2fcec98a-e708-41e3-b55c-86c20d4dfd80.mp3

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One comment on “After police raid on COVID-19 whistleblower, it’s revealed password was publicly posted on Florida Department of Health’s website”

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.