You are on page 1of 9
ID#: 2562 Warent# 00st 1 CF 125 In the County Court Ageney Ciae "TBs Leon County, Florida’ : ee Offenses against users of puters (F3) 102184 15 -ANIOS2b-” ~ yggrea of Gree os COMPLAINT Statute No. . 818.06 Hittin FLORIDA Charge (a) STATE OF FLORIDA ° vs. Rebekah Danielle Jones: Defendant Address IN THE. NAME AND BY THE AUTHORITY OF THE STATE OF FLORIDA Before me, thé undersigned authorty, personally appeared Spacial Agent Noel Pratts who, being first duly sworn says that onthe 10-day of November "AD. 2020. in Leon County, Florida, the eforesaid deferidant willfully, knowingly, and without authorization or exceeding authorization access or caused to be accessed any computer, computer system, ‘computer network, or electronic device with knowledge that suich access is. unauthorized’ or the manner:of use exceeds authorization Florida State Statute 615.06 (2}(a). ‘contrary to Sec., 815.06 (2y{a) Contrary {o the'statute, rule regulation of ether provision of law in such case made and provided, and against the peace and dignity of the State of Florida, Complainant ‘Address ‘Sworn to and subscribed before me this £4 dayor Fusery 2026p (LEO Judge, Assistant State Attomey of Notary Pubic ‘SEAL Ii: 2562 Pr IAWsIy>s 2 .CFIIS FSS 815.06(2){a) Offenses against users of computers, computer systems, computer networks,’ and electronic:devices (F3) if 129 Section 1 A: Your Alfant, Noel Pratts (hercafter veferred to’ as “Affiant’) is @ Special Agent sith: Department of Law Enforcement (FDLE) assigned tothe Tallahassee Regional Operations Genter (TRDC) {~ Cyber High/Tech Crime Squad. Your Affiant has 18 total years of law enforcement experce ‘with 13» Years of criminel investigative exper‘ence. Your fiat is certified axa Cyber Crimes inggatigetor te - National White-Collar Crime Center (NWC3} Board of Directors and has successfully copipléted trating Specific to’ Cyber-Crime “including but. not limited ‘to, Federal Bureau of Investigatians (FB) Cyber Intrusions, F's Explotig Network Communications, NW3C Basic Network Intrusion Investigations, SANS Introduction to:information Security, and Comp TIA Network+. Your Affiantis2 credentialed member of the FBI Cyber Tesk Force based our of the FB! Jacksonville Field Office. This FBI task force is comprised of federal and state law enforcément agencies engaged in the investigation of computer réleted crimes involving cyber intrusion. As 2 Speciat Agent with FDLE, your Afflant is authorized to investigate violations of Florida criminal statutes, Section2 ‘At Count 1:0n November 10, 2020, at approximately 24:20:20 (UTC -0500) and 14:42:36 (UTC -0500), Rebekah Jones (hereafter referred to as “Jonés") did violate Florida Stati Statute 815.06 (2)(a) by wilfully, knowingly, and without authorization or exceeding authorization access or caused to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized or the manner of use exceeds authorization. Section Probable cause Ai To Wit: On November 10, 2020, Assistant Special Agent in Charge (ASAC) Keith Witmer from the Florida Department of Law Enforcement (FOLE) Tallahassee Regional Operations Centér (TROC) advised your Affiant to cofttact Otis Aaron, Public Health Advisor for CDC to the Florida Department of Health's Bureau ‘of Preparedness and Response regarding @ possible network intrusion to their ReadyOP system: Your Affiant contacted Mr. Aaron and learied that there wes an unauthorized access of an account from a depaitmental application used and operated by the Florida Department of Health {FOOH). During this ‘unauthorized access, a mass text message was sent. FDOH estimates that the message wos delivered to ‘approximately 1750,people before the software vendor was able to stop the message. The message read: “"t's time to speak up before another 17,000 people are dead, You know this is wrong, You don’t have to he part ofthis: Bea hero. Speak out before it's too late. -From StateESFS. Planning,” This message carried a time stamp of 11/10/2020 at 14:44:54 (UTC -0500}. 8; Your Affiant requested from FOOH the technical history IP logs for the time freme surrounding the text message including all users accessing the multi-user group “StateESF8.Planning” on ReadyOp, The multi- ser group State ESF8. Planning isthe state's emergency management support functions. The functions of SF8 Js Public Health & Medical. ESF8 coordinates the state’s health end medicel resources, capablities, ID#: 2562 and capacities. They provide the means for public health response, triage, treatment, and transportation. Some examples of ESF8 missions are Health & Medical Assessment Team Deployment, Medical Supply Deployment and Support for Healthcare facilities, Your Affiant reviewed the logs and learned that on November 10, 2020, the IPve address 2601:4¢1:4000;3a80:286e:3d41: fed:Sc4a logged into the systent at ‘14:20:20 (UTC-0500), aid 14:42:36 (UTC -0500) and sent @ group text at 14:44:54 (UTC -OS00). Utilizing ar open source search tool, your Affiant determined this IP address to be under the control and domain of Comcast Cable Commurications. Further examination of thie ReadyOp SMS text history logs, vihich were provided to your Affiant by FOOH arid the Vendor ReadyOp, revealed two previous text messages were also sent Gn Novernber 10, 2020. ‘The first massage was sent to Witness Aand read “It’s time to speak out before another 17,000 are dead. ‘Text Rebekah ~From: StateESF8.Planning." This message carried a time stamp of 22/10/2020 at 14:36:16 (UTC -0500)... The second text. message was sent to Witness'B and read “It’s time to speak up before another 17,000 are dead. ~ From: StateESF8.Planning”. This message carried a time stamp'of 11/10/2020 at 14:38:13 (UTC -0800). According to the FOOH and ReadyOp logs, only three messages were sent through the'system dn Noventber 20, 2020. ¢: Your Affiant drafted a subpoena that was reviewed and approved by the FDLE Regional-Legal Advisor (RLA). The purpose of the suopoene was to request that Comcast identify the account holder of the [P address (referenced in section 3 paragraph 8). The subpoena was reviewed, approved and issued by the Office of the State Attorney for the 2nd Judicial Circuit. The subpoens was then served.cn Cameast on November 12; 2020. D: On November 23, 2020, your Affiant received 2.response to the. subpoena from: Comcast Cable Communications, In the response, Comcast confirmed that the iP address was under thelr control and was assigned to an active customer account, Coméast advised in the response that the IP address for the date and time in question (Section 3-paragraph 8) resolved to the following account: Subscriber Name: REBEKAH JONES ‘Account Status: Active IP Assignment: Dynamically Assigned IP History: See Attached Esmail User ids: MEE <0 1cast.het &: With the new information, your Affiant reached-out to FDOH and spoke with Witness A in an attempt to identify the account holder and determine ifthe subject wais a current or former employee. Witness A advised that Rebekah Jones was a former employee of FDOK. Your Affiant was later informed by FOOH ‘that Jones was terminated approximately six (6): months prior on May 25, 2020. A sworn affidavit from Witness A stated the following: “Ms. Jones, 3 former employee of FOOH, was riot authorized to access, ID#; 2562 view, review, edit, or send any messages or any other information through the ReadyOp software system since her dismissal from FOOH". When employed at-FDOH 2 multi-user account holder had access to submit responses to forms and surveys, access and update situation reports, access arid updates SpNS Census Reports, view CHD Contacts lst for ESEB and Comprehensive Emergency Management Plane (CEMP} reviews, use mobile app, and view mission ready package list. While employed with FOOH, Jones's role would not have required her to send messages through the ReadyOp system: If, for same unfcrascen reason, Fones needed to send a message during her employment with FDOH, it would have required prior supervisor approval. On December 3rd 2020, your Affiant applied for a search warrant for the residence located at EEE '0 Tallahassee, Florida 32308. The warrant was submitted to the FOLE RLA, upon approval, twas forwarded to the Office of the State Attorney for the 2" Sudicial Circuit where it was again reviewed and approved. The warrant was submitted through the Leon County ewarrants system which ‘assigned it to Circuit Court Judge Joshua.lM1. Hawkes of the Second Judicial Circuit, Judge Hawkes determined probable cause existed for the search of the residence and issuéd the search warrant. G:-On December 7th 2020, at approximately 0830 hours, members from FOLE accompanied by @ uniformed Tallahassee Police Department officer executed the search warrant, During the search warrant 2 Hewlett-Packard (HP) tower computer (hereafter referred to “Exhibit #9") was seized. Inia post-Miranida interview Jones stated that in her household everyone has thelr own electronic devices and they do not ‘use each other's devices. Jones further stated that she is the sole user of Exhibit 19 a (Hewlett Packer) desktop, After this statement Jones requested legal counsel and the interview was concluded. H: Following the search warrant, forensie analysis was conducted on Exhibit #9 by FDLE computer forensic technicians. This analysis indicated the owner 2s IMM 2 gmail.com with a compute name.of DESKTOP-96R9EKS. Ouring this forensic analysis it was revealed that Exhibit #9 was the electronic device responsible for the two. separate accesses to the: FDOH. ReadyOp System based on the forensic exaimination of the Cookies. \:.A cookie is « small piece of data stored on the user's computer by the web browser while browsing o website. Cookies. were designed to ‘be a. reliable mechanism for websites to remember stoteful information or to record the user's browsing activity. J: Exhibits #9's logs show two records within the Chrome cookies with a timestamp of November 10, 2020 @ 14:60 hours with a created time of 14:20:19 and record two.on the same date at 14:20:21. it was ‘during this unauthorizéd access Jones exfiltrated data with a created timestamp of 14:32:48. K: Data exfitration (aka “data extrusion”) is the unauthorized transfer of data from a.computer. The transfer of data can be manual by someone with physical access to the computer or remotely utilizing the internet. L: Forensic analysis on Exhibit #9 reveals that on November 10, 2020, Jones downloaded a file containing 2,945,233 bytes of data from ReadyOp which equates to approximately 600-700 sheets of paper, The file Jones downloaded was named Roster_contacts.xlsx. This document contained the contact information ID, 2562 for aporoxitnately 19,182 people across the state of Florida. This file contained flersona! Information to Include first and last ame, organizatkins, titles, countiés located, personal email addresses and phone nurnbers. In spaaking with several of the affected: persons identified in this file, they advised they provided to FDOH this persona! Information for emergency contact purposes only and it was notte be disseminated outside:FDOH ESF. M;. Computer forensics revealed Jones downloaded:and saved this file (which is FDOM intellectual Property) to.two different destinations.- One destination was a shared folder on Exhibit #9. The other destination was ones’s personal Microsoft OrieDrive Storage Service, Nt OneDrive fs a cloud-based starage service for hosting files. Microsoft OneDrive is 6 way to store, syne ‘and share files in order to re-access them from various devices and focations. (0; Based on this evidence discovery your Affiant drafted a second search warrant for Jones's personal OneDrive account. On December 17th 2020 this search warrant was reviewed and approved by the Office of the State Attorney for the 2 Judicial Circuit and submitted through the Leon County ewarrants system which assigned it to Lean County Judg@ Ashenaft Richardson who found probable cause existed and issued the warrartton December 2ist 2020. Your Affiant served this search wartant to Microsoft on this sme date, P: On December 31", 2020, your Affiant received the reszonse from Microsoft containing the requested contents front Jonés’s OneDrive account. @& Your Affiant confirmed the prior evidence of data éxfiltration (mentioned in Section3 paragraph J) by locating the FDOH file within Jones's OneDrive account: R; Further review of the FOOH user access logs showed additional unauthorized access attempts to the ReadyOp system on November 12th, 2020. It. was deterntined. that 2.different IPve address wes responsible for the attempted. access... second subpoena was drafted and served to Cavicast in reference.to these additional access attempts. On. December 11, 2020 the subpoena was served to Comicast by Vour Afiant. On December 31, 2020, your Afiant recelved the response from Comcast. In résponse, Comcast réplied that the 1Pv6 acdress associated with the unauthorized access attempts on November 12, 2020 was assigned to subscriber Rebekah Jones residing at Es The attempts were blocked by FOOH's increased security settings implemented after the November:20" incident which now required a two-factor authentication (2FA). 2FA is an extra layer of protection used {0 ensure the security cf online accounts beyond just username and password, S; In summary, your Affight Believes. the aforementioned: evidence proves that Rebekah’ jones wes fesponsible for unauthorized access anid. severat unauthorized aécess attempts to'FDOH systems. The evidence further proves that during the unauthorized access, Jones exfitrated FDOH intellectual property. (Di: 2662 Qn March 1st 2020, FOOH was designated the lead agenicy to combat the Covld-18 pandemic for the State of Florida, Governor Ron DeSantis’s Executive Order 20-51 Section 4 states the following: “in accordance with section 381.0011 {7), Florida Statutes, 1 designate the Florida Departenent of Health as the lead Staté agency to coordinate emergency response: activities smong the various state agencies and: local governments. The State Health Officer, or his designee, shall advise the Executive Office of the Governor ‘On the implementation of these emergency. response “activities.” During the. pandemic the State Emergency Resportse Teams (SERT) grouped into 18 standard Emergency Support Functions (ESFs}. Each ESF Is comprised of one primary agency and several suoport agencies and organizations. ESF@'s function is Public Health & Medical. ESF8 coordinates the state's health and medicat resources, capabilities, and capacities. They provide the means for public health response, triage, treatment, and transportation. Some examples of ESF8 missions are Health & Medical Assessment Team Deployment; Medical Supply Deployment and Support for Healthcare fe: Vital to FOOH's role in carrying out this mandate is the use of an effective data management application such as ResdyOp’s web-based platform to coordinate Healthcare Provider submhission. and approval tracking as well as Mission Ready Package Development such as having a Health and & Medical Team. Deployment. According to FDOH personnel, ReadyOp is to be used strictly for emergency and disaster situations only. in fact, the ReadyOp system is governed by FDOH's information Security Policy with strict procedures in place. In order to be granted access to and usé of ReadyOp, FDOH employees are provided training omits use and procedures. in communicating with FDOH personnel your Affiant learned that these’ acts by Jones are the ony instances they can recall where the ReadyOp emergency messaging system was abuséd or missed either by accident or in this case, intentionally. As ¢ former employee, Jones was made aware of these security policies and procedures. Thisis due, in part, to Jones having been assigned to the ESF:8 group and having access to the group's ReadyO¢ login information. Jones's actions caused doubt and confusion amongst many of the working groups that share the multi- user account for ESF-8 Planning and Preparedness és they were unsure whether this message was sent by official personnel. {talso resuited in personnel with FOOH Information Technology Services having to stop their. current. work assignments and divert thelr attention to addressing this possible cyber-attack. Witness B is an ITS Manager with FOOH who stated thet when the message initially went out they immediately began following protocols related to addressing’ cyber Intrusion or un-authidrized access into the FOOH network. This included reaching out to the system administrator for ReadyOp to begin ‘working togetiier to address the issue. Witness B stated that “everyone who réceived the message on our floor started protocol to report the issue ub." According to Witness B, this amounted to approximately 30 (thirty) FOOH employees having to cease their regular duties and begin addressing this incident. It should be noted that the way FOOH uses ReadyOp to. conduct its business in combating the Covid-19 pandemic'is multi-faceted beyond just a simple messaging system. In fact, RezdyOp, in use by FDOH, contains sensitive and confidential information to include personal identifying information {such as that mentioned in section 3 paragraph L) as well as medical and epidemiological records that are exempt from public record under Florida law. ‘Your Affiant was informed that Jones was not authorized to access the FDOH.ReadyOp system or any systems pertaining to the Department of Health after her termination on May 25, 2020. ID#: 2562 ‘The evidence provés'that tlie defendant, Retiekah Jorias, willfilly, knowingly, arid without authorization or exceeding authorization, accessed or caused to be accessed any computer, computer systém, computer network, or electronic device with knowledge that such access is unauthorized or the manner of use exceeded authorization. ‘The offenses described herein occurred within the legal Boundaries of the State of Florida, THE PRECEDING IS TRUE 11 KNOWLEDGE OR BELIEF. SIGNATURE: AGENCY: FLORIDA DEPARTMENT OF LAW ENFORCEMENT (FDLE). NOTARIZATION: SWORN AND SUBSCRIBED BEFORE. aw ves LY DAY or-sMavatd 2021 5A 902 Sao NOTARY PUBLIC/ASSISTANT STATE ATTO! (leo) ORDER ‘THIS CAUSE coming before me as a First Appearance Magistrate, and having reviewed the yp esing affidavil, this court finds: Probable Cause is Sufficient Probable Cause is. NOT Sufficient Leon Courky Judge. JUDGE ID#: 2562 Wertant # Xo (oF IQS In the County Court Agency Case # ~ 1L85-0058 .: Officer 1D. # 1184 Leon County, Florida “ils. n Ofgnees BgaINeT TSS oF WARRANT ZL JAN 1S AM IQ: 21 Degree of Charge. F3 Charee, computers (F3) Statute No. 815.06 Oia STATE OF FLORIDA vs. Rebekah Danielle Jones Defendant, Address IN-THE NAME AND BY THE AUTHORITY OF THE STATE OF FLORIDA TO ALL-AND SINGULAR THE SHERIFF'S OF THE STATE.OF FLORIDA: WHEREAS, @ Complaint hes this ¢ay been filed before me by |__ Special Agent Noel Pratts __- ‘who, being first duly sworn saysthatonthe _ 10 dayof November VAD, 2020 in Leon County, Florida, the aforesaid defendant wilfully, knowingly, and without authorization or exceeding authorization access or caused to be accessed any ‘computer, computer system, computer network, or electronic. device with knowlédge that such access is uniauthorized or the manner of use exceeds authorization Florida State Statute 816,06 (2)(a). contrary to Sec, 815.06 (2\(a) ‘contrary to the statute, rule, regulation or other provision of law in such case made and provided, and against the peace and digrity of the State of Florida, ‘THESE ARE, THEREFORE, to commend you f arrest instanter the aforesaid defendant and bring him or her before me to be deat wath according to law. Given under my hand and seal this. day of } 4p) 02 { 20, Vina _ABiiaeuife L ean Sry tusge Aorerkt Rihrdson———___ (SEAL) County Court Judge Lean County EXTRADITION APPROVED: Yes WARRANT IN THE:COUNTY COURT LEON GOUNTY, FLORIDA Received this Warrant on the ‘THE STATE OF FLORIDA, PLAINTIFF and served same on the vs. ‘by delivering @ tue copy oF same to the within Rebekah Danielie Jones named defendant, WARRANT Sheri : ‘County, Florida. Offenses against users of computers (F3) "THE AMOUNT OF BAIL IN-THIS. CASE 1S HEREBY SET INTHE SUM OF dvd pepeojumop Sem BJep esoyM SWUNOIA YIM JOB]UCS ON, | '$82008 JeUE]U! ON Jayndwos 0} sseo0er ON 79Sz ‘#l