MADISON COUNTY, Miss. (WLBT) – A Madison County Youth Court judge’s official account was hacked by scammers last month, potentially putting sensitive data at risk.
That’s according to documents obtained by 3 On Your Side through an open record request.
On October 15, Judge Staci O’Neal’s account was breached after she opened a spam email via her cell phone.
O’Neal confirmed the hack but denied the presence of any sensitive information in her account.
“They probably saw my grocery list, and correspondence with my staff and stuff,” she said. “I don’t keep financial information in my inbox.”
However, an October 24 email from County Administrator Greg Higginbotham reveals her account included an “Active Case Report,” as well as information on other minors currently in the Youth Court system.
A report from Pileum Corporation, the county’s security consultants, states hackers had access to the judge’s account for 33 minutes.
During that time, 17 email items were accessed, and two Teams sessions were started, the report stated.
Information Technology (IT) officials were unable to determine what emails were viewed, and that email items “can include more than one email.”
Pileum also reported that the second Teams session “recorded three failed login attempts by the threat actor… after [Judge O’Neal’s] account credentials were changed by Madison County IT.”
It was unclear what hackers were able to obtain through Teams. O’Neal says she doesn’t use the messaging app. However, Pileum states that “files can be viewed through the program without generating traditional log items.”
The breach represents the second high-profile scam impacting the county in recent years.
In 2024, the county was bilked out of $2.7 million after it received emails asking officials to update the account information for “Jay Hemphill” and “Hemphill Construction Company.”
At the time, the Florence-based Hemphill was working on a major road project for the county. Officials only learned of the scam after the real company contacted them asking for payment.
[READ: Police report reveals more details in $2.7M Madison County fraud case]
In January of this year, authorities announced $2.1 million of that funding had been recovered.
Hackers this time were thwarted in a matter of minutes.
A timeline from Pileum reveals the first threat actor was detected at 3:27 p.m. O’Neal’s password was changed at 4 p.m.
Hackers logged into O’Neal’s account nine times during that period, with sign-ins being reported from New York, New Jersey and Germany.
Higginbotham said the county does not have a “board-adopted” protocol to notify officials of breaches.
However, he said he reached out to the judge almost immediately.
“In this instance, the county administrator attempted to notify the judge. However, the judge was unavailable, so the county administrator notified the court administrator,” he said.
He said the county currently provides “world-class” cyber security training to employees and elected officials, and that all officials – including judges – must take it.
“County training protocols preclude individuals from clicking on unknown or unsafe links. The fact the account was hacked by clicking on an unknown and unsafe link is conclusive evidence that the protocols were not followed,” he wrote.
Training aside, Pileum recommending O’Neal review all documents stored in her personal OneDrive folder to ensure no sensitive data was located there.
Emails are retained in individuals’ mailboxes for three years and backed up in the county archives to comply with public records laws. Data stored on local computers or servers is stored until the user deletes it, Higginbotham explained.
The consultants also are recommending the county upgrade its Office 365 licenses, which would, among other things, block sign-ins from outside the United States and disable legacy authentication protocols.
At the time of the hack, O’Neal did not have multi-factor authentication enforced on her account, according to the report.
The county’s Conditional Access Policy requires it, but consultants say it is not enforced.
Want more WLBT news in your inbox? to subscribe to our newsletter.
See a spelling or grammar error in our story? Please click here to report it and include the headline of the story in your email.
Copyright 2025 WLBT. All rights reserved.
