An internal El Paso County audit meant to test the county’s readiness for destructive malware briefly slipped into public view on the county website, then disappeared after a local TV station flagged it. The report is stamped “Confidential for Internal Use Only” and lays out 14 findings, including excessive administrative access, weak patch management, and inadequate backups that auditors say could leave systems vulnerable. County officials told reporters the posting was accidental and that steps were taken after the discovery.
As reported by KFOX14/CBS4, the station says it found the audit while reviewing county records on May 21, and that county staff removed the file from public access on June 2 after inquiries. County Attorney Christina Sanchez told the station, “It was human error,” and emphasized that the document was taken down “as it should be.” The county asked that journalists refrain from redistributing the report and pointed to the Texas disclosure law when explaining why it should stay offline.
Audit shows specific gaps that could be exploited
The audit, titled El Paso County Destructive Malware Readiness, is posted on the county auditor’s site and is marked confidential. It lists 14 findings and details weaknesses in endpoint protection, network security, patch management, and backup and recovery processes. Auditors identify 401 users with administrative access to personal computers, flag servers running unsupported operating systems, and note gaps in change management and asset inventory practices. The document also includes action plans and estimated completion dates for addressing the issues.
Timeline and unanswered questions
According to KFOX14/CBS4, county staff told the station they could not locate the document until the outlet provided a direct link. The county did not answer follow-up questions about how long the file had been publicly accessible or how many times it may have been downloaded. The auditor’s office declined an interview, KFOX14 reports, while the county says it has implemented “additional measures and controls” to prevent a repeat. That leaves basic exposure questions about who saw the file and when, unresolved for now.
Why the law matters
What the audit recommends
The audit lays out specific fixes. It recommends implementing privileged access management tools such as BeyondTrust to cut down on administrative accounts, tighten patch management, align disaster recovery planning with backups, and improve asset inventories. The report assigns responsible managers and lists estimated completion dates and notes, for example, that an implementation milestone for privileged access controls was scheduled for March 31, 2026. Those remediation plans sketch a roadmap for improving defenses, but do not explain how or when the county stopped the public posting, or whether any sensitive information was copied while the file was exposed…