Tulsa City Manager Jim Twombly admits that the city made some sizeable mistakes in thinking its web servers had been hacked, when in fact the incident was actually a test performed at the city's own behest.

He says it did uncover some very real vulnerabilities, in particular with regard to the Tulsa Police Department website.

"The police website is quite vulnerable and what we need to do is basically rebuild that from scratch and that's what's going to take a long time," Twombly told KRMG.

As a result of that realization, the TPD site remains down and Twombly tells KRMG it will be rebuilt from the ground up.

The same may be said for the city's IT department, though it may see the process begin from the top down and ironically, it's a Tulsa police officer who will man the helm for the time being.

City of Tulsa Chief Information Officer Tim Golliver is on paid administrative leave following the hacking that was not a hacking incident.

Tulsa Police Captain Jonathan Brooks is now in charge as the city begins serious assessment of how to best clean up the situation.

"One of the first things that you do when you have an incident, whether it's a blizzard or what you feel is an attack on you know servers, the website, you know one of the first things you do is have somebody in charge of response, you know incident response and... everybody reports to and through that person what's going on and that was one of our weaknesses in this case," Twombly said.

He says Brooks is uniquely equipped for the task at hand because he's well-versed as a police officer in incident response, emergency situations and security, as well as being technologically knowledgeable and able to understand the issues involved.

As for any mishandling of the incident, Twombly says it was about protecting the website's users.

"In hindsight, should we have read things differently, should we have been more skeptical of our immediate fear and response? Hindsight is always 20/20 and perhaps we should have taken a slower approach," he admits.

But, "We did feel this legal and moral obligation to notify people because we did feel that there was a possibility that personal information had been accessed."

So after all the safety issues had been addressed and some 90,000 people alerted to a possible leak of their personal information, only then did the city realize it had actually been targeted only by its own security consulting firm, SecurityMetrics.

"Eventually, after we had done the mailouts and after we went back in and started debriefing on this and really picking it apart piece by piece, only then did we make connections that we hadn't made before."

He would not comment on why the city put Gollvier on administrative leave, citing the confidentiality of personnel decisions.