New leadership was installed in Prince George’s County’s Office of Information Technology earlier this year, with former director Wanda Gibson suddenly resigning, or — according to some inside the department — being pushed out amid complaints about her management and the culture fostered there.
Gibson had been atop the Maryland agency since 2019, and in recent years began to generate formal complaints from employees working under her — some of which were substantiated by the investigations those complaints triggered.
Sources told WTOP that under her management, along with the merry-go-round of deputies underneath her, security issues were only detected when agency leaders were alerted to the situation by outside monitors.
In one case, a vulnerability meant personal data of county residents was possibly exposed to hackers, though there’s no evidence it was actually obtained by bad actors. In both cases, the county downplayed the severity of the incidents, which have not been previously disclosed.
The first occurred at the start of summer in 2023, when Russian hackers involved in what’s known in Prince George’s County as “Urban Blizzard” — the county was among several governments around the country that were hacked — were able to gain access into the county’s network.
A report conducted by Microsoft described, according to one independent cyber expert who saw it, a basic level of cyber protection that was unacceptably low — roughly akin to what a new network would have before efforts were made to secure information. A former OIT employee said it was two months before the hack was detected, and it’s not clear what information may have been compromised.
A spokeswoman for Prince George’s County government acknowledged the incident, and said “a few accounts were compromised and that was it.” She also said the county was not affected systemically the way other governments around the world were.
Asked why it wasn’t disclosed publicly in 2023, she said the county commented on it at the time, but was unable to provide any record showing that statement. An internet search found no reference to the incident.
Server vulnerabilities
Then, in June 2024, the county received an email from the Multi-State Information Sharing and Analysis Center, a nonprofit organization that supports cybersecurity operations for over 17,000 state and local governments.
In the email, it warned of a server vulnerability that was detected. Two former OIT employees who are familiar with that breach told WTOP the servers contained the personal information of thousands of county residents, and that they grew frustrated when little was done to immediately remediate the situation.
One of the employees agreed to talk, but admitted being worried about revealing too much about the information that was made vulnerable because of the sensitivity of it.
A county spokeswoman said OIT ended up patching that server and, after reviewing logs, said there was no record of a breach.
Some documents related to the response showed it took a little over a week to solve. A source involved at the time told WTOP that outdated security problems were to blame, and suggested lax record keeping means the county would have no way of knowing if something was taken.
“Just like any government organization, you’re going to give them a lot of personal information about you, about your family,” said John Loucaides, a senior VP of customer operations with Eclypsium, which specializes in infrastructure security. “Those pieces of information are generally expected to be some of the most well protected attributes of your life.
“The county has those records and has a responsibility to protect them,” he added.
Lessons gone unlearned
Just a few months before that incident — but after the Russian hacking, WTOP learned the county paid outside hackers to try to break into its network of computers, essentially hiring someone from the outside to hack in and test the county’s cyber defense systems.
Despite knowing when the attack was going to happen, the hack itself triggered no alarms and went undetected. In particular, a summary of the test showed there were no alerts sent to the county via email or telephone, something that should have occurred.
The only alarm that was raised at all occurred when one of the hackers tried to log in from countries on two separate continents just minutes apart. A subsequent report said the alert that was triggered “was not due to test activity.”
“I always look at a isolated incident in cybersecurity as something that can happen to anybody, because you got unlucky,” Loucaides said.
But, in this case, he said there didn’t seem to be any lessons learned.
“If you are not investing in cybersecurity properly, then this will be a pattern, and this will not be an isolated incident,” he said. “That’s what I’m concerned about with this particular issue.”
Those undetected incidents would go on to be mentioned in an anonymous whistleblower complaint filed against Gibson earlier this year that said OIT had not properly reported the breaches that had gone undetected by the county’s cybersecurity teams.
Hostile work environment
It all happened during a time where the environment inside OIT could be summed up as toxic, according to former and current employees.
The complaint also raised questions about contracts given out by OIT to vendors around the country, some that are worth hundreds of thousands of dollars for what a source said was usually minimal work. It’s unclear how much of it was investigated by the county’s compliance office, since Gibson left her post after it was filed.
Multiple calls made to Gibson have gone unanswered.
A source confirms, however, that Gibson was also investigated several times by other county watchdog agencies, including the Office of Human Resource Management and the Office of Ethics and Accountability.
Multiple complaints filed by employees through OHRM, including allegations of a hostile work environment, racial discrimination and retaliation, were investigated independently. While many were not substantiated, several of them were.
Still, Gibson remained in her position despite those findings.
The county would neither comment on the circumstances that eventually led to Gibson’s departure, nor was there any response to the findings of the investigations triggered by employee complaints.
Get breaking news and daily headlines delivered to your email inbox by signing up here.
© 2025 WTOP. All Rights Reserved. This website is not intended for users located within the European Economic Area.
