Written by Marion Watch believes the City of Marion still has serious, basic computer security problems. We predict that city employees are still sharing passwords and that many have computer and or New World permissions they shouldn’t have. New World is Marion’s financial software used citywide.
Why do we think this?
In the computer security world, there’s a basic rule: if an organization has a long history of severe money problems, you must assume it also has basic computer security problems. Big financial failures, like the ones Marion has seen for decades, signal a weak “control culture.” This means rules are not being followed. When this is the case, IT experts are trained to assume that fundamental security rules—like “don’t share passwords”—are also being ignored.
This isn’t just a theory; it’s a conclusion based on evidence. Marion Watch’s own inquiries and review of official documents from 2016 to the present led us to predict these exact failures. For example, we predicted that software safety switches were being disabled long before officials recently confirmed it. State audits cite the city for multiple severe IT control failures in the 80’ s and 90’s.
And it seems we are not alone in this prediction. Some current officials have advised Marion Watch that they believe this is very possible, with one stating, “I think that this is just the tip of the iceberg.” Just after the November 4th elections, several officials we spoke to could not discuss the matter directly, but did ask very general questions about how to detect unauthorized permissions and password sharing on a network. Marion Watch provided these officials with a general guidance document on how to find such breaches. Also at the top of our list of suspicions: unqualified, non-IT staff are making changes to system permissions, which is confirmed. We are also deeply concerned with the lack of a known trouble ticketing system in the city’s IT department. This makes user permissions, and other essential IT functions passed by unofficial communications, posibbly relying on simple verbal requests with no oversight or record.
The warning signs that this culture is still alive are everywhere, both old and new.
- Recent Fraud: A $40,000 fraud case involving a “washed” city check was just discussed in a council meeting.
- Illegal Spending: A deputy auditor recently admitted to making a $58,000 payment without any legal approval from City Council.
- Weak Physical Security: For years, the city’s server room was also used as an office, a basic failure of physical security that shows a deep, long-term lack of understanding of IT safety. This practice reportedly only stopped when Mayor Collins took office.
- A Long History: This is not new. State audits from the 1980s, 1990s, and 2010 all show a city that ignores basic rules. Recently, it was discovered that the city turned off safety controls in its software, giving employees “override” powers to spend money the city didn’t even have.
- Leadership Blind Spots: The mayor was once unaware of a “rogue laptop” that the IT department knew about. If leaders aren’t told about a rogue computer, they probably don’t know about bad password habits either.
- NON-IT Staff Making Permissions Changes: This practice is a critical security failure. System permissions are the “digital keys” that control exactly who can see, change, or delete sensitive information, especially in the city’s financial software. When people who are not trained in IT security make these changes, they can easily make a catastrophic mistake, like accidentally giving all employees access to private payroll files. Worse, it opens the door for deliberate fraud, allowing someone to give themselves or a friend the power to approve fake payments, steal data, or cover their tracks. It bypasses all oversight and leaves the city’s most sensitive data completely unprotected.
These failures all point to two simple, high-risk problems that we predict are still happening today.
1. Password Sharing
This is computer security 101. You never share your password. This rule has been a global standard since the 1970s when multi-user interfaces were rolled out. Yet, screenshots and official statements confirm this exact practice was still happening in Marion as recently as 2021. Because this bad habit is so old and so deep in the city’s culture, we have no reason to think it has stopped. Sharing a password is like giving your house key to a burglar. It makes it impossible to know who really approved a payment or changed a file. It destroys all accountability.
2. Lax Permissions
This means giving employees “keys” to parts of the computer system they don’t need for their jobs. An employee who just needs to view a report might also have the power to delete or change it. This is like giving every employee a key to the bank vault. It opens the door for huge mistakes and even internal fraud.
A $40,000 fraud or a $58,000 illegal payment doesn’t just happen. They are symptoms of a weak system. Until the city proves it has fixed these basic IT controls, we must assume this “culture of convenience” is still putting taxpayer money at risk.
IT Security 101: The Basics Marion Has Breached
To understand why these issues are so serious, here is a simple guide to the basic security rules that appear to have been broken:
- Rule 1: One Person, One Password. Never share passwords. This is the only way to know for sure who did something. (Breached by password sharing).
- Rule 2: The Principle of Least Privilege. Only give employees the “keys” they absolutely need for their job, and nothing more. (Breached by lax permissions).
- Rule 3: Protect Your Equipment. The server room is the brain of the IT system. It should be a locked, secure room, not a public office. (Breached by using the server room as an office).
- Rule 4: Use Your Safety Features. Financial software has built-in controls, like a reconciliation module and software “switches,” that are legally required to be active. These tools are designed to stop illegal spending (like spending from an empty account) and ensure all money is tracked accurately. Disabling these features, as was done in Marion, is not just bad practice. It undermines the integrity of all financial data and can be a violation of state laws (like the Ohio Revised Code) that mandate balanced budgets and accurate accounting of public funds. If federal grant money is involved, it also risks breaching federal law.
- Rule 5: Control All Devices. You must know every single computer that is plugged into your network. (Breached by the “rogue laptop”).
- Rule 6: Control When People Work. Access to sensitive systems should be monitored and controlled, especially after normal work hours. (Breached by reports of unauthorized after-hours access confirmed by former and current officials).
These problems raise serious questions for the city’s new leadership.
To truly fix this, the administration must demand answers from the IT staff and possibly the vendor of New World who oversaw these systems for years, including the IT specialist who has been in his position since the previous administration.
Tough questions must be asked
What did they know about password sharing and when? Who had unauthorized permissions, and why weren’t they fixed? What was known about unauthorized after-hours access? And how was the city’s main server room allowed to be used as an office, a severe breach of physical security? City IT must also be asked about anything that was asked of them that breaches globally accepted IT policy, and possibly law. Without holding long-standing staff accountable for past knowledge and practices, the city risks carrying the same broken culture forward.