Baltimore’s SideStep Program Rocked by Fraud and Data Breach, Inspector General Finds
A recent investigation by Baltimore City Inspector General Isabel Mercedes Cumming uncovered fraud and a serious data breach within the city’s SideStep program, a pilot initiative aimed at reducing youth recidivism. The program, operated by the Mayor’s Office of Neighborhood Safety and Engagement (MONSE) from 2022 to 2024, paid 15 contractors approximately $690,000 to provide services to at-risk youth with low-level police interactions.
Cumming’s report, released Tuesday, revealed that two contractors submitted fraudulent invoices, costing the city thousands of dollars. One contractor altered invoices to inflate payments, while another failed to provide supporting documentation for submitted bills. The exact financial loss remains undisclosed due to an ongoing criminal investigation.
The investigation also exposed a data security violation when a MONSE employee improperly shared sensitive information on 700 city youth, including their names, birth dates, and criminal charges. The employee forwarded the data to a relative’s personal Gmail account in 2023, violating Maryland state law and MONSE’s internal policies.
In response, MONSE Director Stefanie Mavronis acknowledged the breach, calling it an "unacceptable" act by a former employee and stating that the agency is working to recover misused funds and ensure compliance with data-breach notification requirements. Mavronis emphasized that the incident was an isolated case, not indicative of broader MONSE data practices.
The report also highlighted an ongoing dispute between Cumming’s office and Mayor Brandon Scott’s administration over access to city records. The administration has restricted the Inspector General’s access to legal and financial documents, citing attorney-client privilege and Maryland Public Information Act exemptions. Cumming has filed a lawsuit to compel compliance with subpoenas, arguing that oversight is critical to preventing fraud and liability.
The findings underscore financial mismanagement and data security failures in a program intended to support at-risk youth, while raising questions about transparency and accountability in Baltimore’s city agencies.
DC Office of Neighborhood Safety and Engagement cybersecurity rating report: https://www.rankiteo.com/company/dconse
"id": "DCO1773772073",
"linkid": "dconse",
"type": "Breach",
"date": "1/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '700 city youth',
'industry': 'Public Safety / Youth Services',
'location': 'Baltimore, Maryland, USA',
'name': 'Mayor’s Office of Neighborhood Safety and '
'Engagement (MONSE)',
'type': 'Government Agency'}],
'attack_vector': 'Insider Threat',
'data_breach': {'data_exfiltration': 'Shared via personal Gmail account',
'number_of_records_exposed': '700',
'personally_identifiable_information': ['Names',
'Birth Dates',
'Criminal Charges'],
'sensitivity_of_data': 'High (names, birth dates, criminal '
'charges)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2023',
'date_publicly_disclosed': '2024-06-11',
'description': 'A recent investigation by Baltimore City Inspector General '
'Isabel Mercedes Cumming uncovered fraud and a serious data '
'breach within the city’s SideStep program, a pilot initiative '
'aimed at reducing youth recidivism. The program, operated by '
'the Mayor’s Office of Neighborhood Safety and Engagement '
'(MONSE), involved fraudulent invoices submitted by '
'contractors and a data security violation where sensitive '
'information on 700 city youth was improperly shared.',
'impact': {'brand_reputation_impact': 'Negative impact on MONSE and Baltimore '
'city administration',
'data_compromised': '700 records',
'financial_loss': '$690,000 (program cost, partial fraud loss '
'undisclosed)',
'identity_theft_risk': 'High (PII exposed)',
'legal_liabilities': 'Potential violations of Maryland state law '
'and data-breach notification requirements',
'operational_impact': 'Program integrity compromised, ongoing '
'criminal investigation'},
'investigation_status': 'Ongoing (criminal investigation, legal dispute over '
'records access)',
'lessons_learned': 'Need for stricter financial oversight, improved data '
'handling policies, and transparency in city programs.',
'motivation': ['Financial Gain (Fraud)', 'Negligence (Data Breach)'],
'post_incident_analysis': {'corrective_actions': ['Fund recovery efforts',
'Policy review for data '
'handling and contractor '
'oversight',
'Legal action to resolve '
'records access dispute'],
'root_causes': ['Lack of financial controls '
'(fraudulent invoices)',
'Improper data handling by '
'employee (data breach)',
'Insufficient oversight and '
'transparency']},
'recommendations': ['Enforce stricter contractor invoice verification',
'Implement robust data access controls and employee '
'training',
'Ensure compliance with data-breach notification laws',
'Resolve legal disputes over Inspector General access to '
'records'],
'references': [{'date_accessed': '2024-06-11',
'source': 'Baltimore City Inspector General Report'}],
'regulatory_compliance': {'legal_actions': 'Potential (data-breach '
'notification requirements)',
'regulations_violated': ['Maryland state law',
'MONSE internal policies']},
'response': {'communication_strategy': 'Public disclosure via Inspector '
'General report, acknowledgment by '
'MONSE Director',
'containment_measures': 'Data recovery efforts, compliance with '
'data-breach notification requirements',
'law_enforcement_notified': 'Ongoing criminal investigation '
'(implied)',
'remediation_measures': 'Fund recovery efforts, policy review'},
'stakeholder_advisories': 'MONSE Director acknowledged breach; Inspector '
'General emphasized oversight importance.',
'threat_actor': 'MONSE Employee (Insider)',
'title': 'Baltimore’s SideStep Program Fraud and Data Breach',
'type': ['Fraud', 'Data Breach'],
'vulnerability_exploited': 'Improper Data Handling'}