Ozark Electric, AT&T Seek Hacker

Whoever hacked into Ozarks Electric Cooperative Corp.’s automated outage reporting system on Dec. 29 and switched the greeting to a derogatory message could soon face jail time. AT&T’s toll-free division and Ozarks Electric are scrutinizing the company’s phone records to track down the guilty party.

Paul Bridges, a clerk at the Washington County prosecutor’s office, said computer trespassing that causes more than $2,500 in damage is a Class D felony and can bring a sentence of up to six years in prison. A first-offense computer trespass that causes no damage is a Class A misdemeanor and may come with 30 days in jail. Exponential fines and jail time may apply as the victim’s damages increase.

Ozarks Electric CEO Mitchell Johnson did not put a price on the damage his company sustained, but he said it would include the time and resources expended to find the hacker.

Johnson said the company knows the greeting was changed at 9:09 p.m. He plans to compare the time with AT&T’s list of incoming calls and their places of origin. Although the call list could provide a good lead, Bridges said actually finding the perpetrator might be difficult.

“If it’s a malicious hacker, they’re probably using a ‘freak box’ that allows them to steal the line from the telephone company to begin with,” Bridges said. “If it’s just a kid, they’ll probably find them quick. But if it’s someone who knows what they’re doing, then they’ll be pretty hard to find.

“Good hackers can cover their tracks and bounce signals all over the place.”

Ozarks Electric’s usual automated greeting allows customers to report power outages and request assistance. The message was changed to say all of Ozarks Electric’s employees had gone home and suggested that customers “call someone who cares.”

The truth is the company had 20 staffing the office, handling phone calls, and dozens others out in the field, working to restore power to more 1,500 customers. An ice storm had knocked out a number of area power lines.

But the problem was exacerbated about the same time Ozarks Electric’s greeting was changed. A large tree limb fell in Fayetteville and severed a transmission line that linked four substations. More than 17,000 suddenly were without power, but company communications manager Penny Storms said the crisis only lasted 45 minutes.

“We were able to recover pretty quickly and issue an apology to our customers,” Storms said.

Johnson said that the company’s wide area network had a firewall but that the automated reporting system relied on two simple security measures. The hacker only had to dial up the phone extension containing the greeting and then break a pass code of several digits.

“We definitely learned something,” Johnson said. “I would tell other business owners out there that no matter how good you feel your security is, double-check it and change any passwords on a periodic basis. Make sure you’ve got Fort Knox-type security.”

Ozarks Electric is beefing up its computer security as a result of the incident. Johnson said new measures would likely include a two-tiered password system that’s already in the works by automated answering system vendor DataVoice International Inc. of Dallas.