A security company which performed a test on Tulsa's website that city IT employees interpreted as a hacking attack says a simple check would have prevented the false alarm.
The city hired SecurityMetrics, based in Orem, Utah, to conduct tests on the city's web infrastructure, probing for security risks.
The company did so and found some vulnerabilities, particularly in the Tulsa Police Department's site.
But despite the fact that SecurityMetrics had been hired by the city and sent a report on its findings by email the next day, something led city IT employees to believe someone had breached the web server's security.
They shut down the city's website.
Tulsa City Manager Jim Twombly ran a check on the IP address of the computer from which the apparent "hacking" attempt had been launched.
Twombly told KRMG that IP address checked back to a known spamming website, but statements by SecurityMetrics indicate that's not the case.
They say they used an IP address registered to their company and a simple trace back to the source should have allayed any fears of an attempted hacking attack.
Moreover, no one from the city apparently attempted to contact SecurityMetrics about the supposed breach for quite some time.
It took three weeks for the city to figure out what had actually happened and the website remained down for that entire time.
Parts of it remain down, particularly the police website, which Twombly indicates will have to be rebuilt "from the ground up" due to its security vulnerabilities.
KRMG contacted SecurityMetrics and spoke with Amanda Harmon, Manager of Corporate Communications.
She said the people who had worked on the project or could comment on what happened on the record were all unavailable Thursday and they apparently could not be reached by phone.
Nor could she go on the record to answer any questions.
She did send KRMG a brief written statement, included here in full:
SecurityMetrics conducts regular vulnerability scans for tens of thousands of clients each month and uses an identical process to notify all account managers of scan results following each scan completion. In addition, each client has 24/7 online access to their SecurityMetrics account which includes times of past and future scans, and individual scan vulnerabilities. Although there was no breach, we applaud the City of Tulsa for implementing a punctual and accurate response process.
KRMG called back to ask for clarification of the company's characterization of the city's response as "punctual and accurate."
Harmon said she believed that referred to the city's decision to immediately notify "the authorities" and take the website offline, due to its belief that the site had been hacked.