Personal information about licenses and unemployment — including names, addresses, birth dates, credit card and Social Security numbers — was left relatively unguarded on computers at the Department of Labor, Licensing and Regulation and may have been targeted for fraud, according to legislative auditors.
The audit of DLLR’s Office of the Secretary, Division of Administration and Division of Workforce Development detailed several major problems with computer security at the agency. Most of the problems were in the administrative computer systems, which handle professional licenses and unemployment insurance.
“If you’re going to accept payments with credit cards, you have to have controls in place,” said Legislative Auditor Bruce Myers
In a response to the audit, DLLR Secretary Alexander Sanchez agreed with all of the findings. New digital security measures are on their way or in place, either as new systems or new policies to ensure that personal information is protected.
DLLR spokesman Michael Raia said that the department was not surprised by the findings of the audit, and said the necessary software changes are on the way.
“In this day and age, IT is always on the horizon,” Raia said.
Auditors found that personal information on people making unemployment insurance claims was often being transmitted in plain text that could be read by anyone who intercepted it. Many systems that collect so much personal information encrypt it, meaning that the information cannot be read without a special decoder.
According to the auditors’ report, when that information was encrypted, it used a code that was relatively easy to break.
“This sensitive personal and financial information is commonly sought by criminals for use in identity theft,” the report states. “Accordingly, appropriate information system security controls … need to exist to ensure that this information is safeguarded and not improperly disclosed.”
Two commercial payroll service providers have access to DLLR’s unemployment database, and they periodically update records. Auditors found that the outside providers did not have any restrictions on their access to the database, and could easily access files of people whom they did not have to deal with.
Additionally, auditors found that several DLLR employees had unnecessary access to this information as well.
The electronic licensing system, in which almost 20,000 people entered personal information in fiscal year 2010, had similar security flaws auditors found. Names, birth dates and Social Security numbers of people who used the site to register new licenses was available in plain text on the server.
Credit card information for people who had used the system to renew professional licenses was not adequately protected and had several security flaws.
The department also failed to use security measures to ensure the site was secure. The site was not monitored for suspicious traffic, and web security software did not adequately protect the entire database. Auditors found suspiciously high traffic on DLLR sites from computers in Latvia, but were unable to tell what those users were doing because of security holes.
“This was very suspicious,” Myers said. “You just don’t know what’s being done.”
Other computer-related problems included:
— Workstations were automatically connected with the system. This means that anyone who sat at the computer of someone who had access to the system could get in.
— Of all the employees who could access the system, seven had the same logins and passwords. Seven active accounts belonged to people who no longer worked at DLLR, and 21 accounts had not been used for up to almost two years.
— Security systems did not track employee access, some database changes and potential on-site security violations.
Auditors found other problems with financial record-keeping. These included:
— Failing to quickly endorse, deposit and record funds received by the Division of Workforce Development and Adult Learning for GED exams and transcript releases. Ten days worth of fund collections, adding up to $21,000, were not deposited until between 13 and 31 days after the money was received.
— Cash receipts that were electronically scanned and remotely deposited were not destroyed or secured after they were processed. Auditors found them in a folder under an employee’s desk.
— Receipts received through the electronic licensing system were not reconciled properly. In fiscal year 2010, auditors spotted a $200,000 discrepancy that could not be explained.
— Employees who split their time between DLLR and other departments did not have their time sheets reviewed to ensure that they were not reporting working too many hours.
— Twenty-eight employees were able to prepare and approve their own time sheets between January 2009 and June 2010. Six of them did it between 11 and 40 times.
— Inventory records were not well kept.