Missing Security at Minnesota Driver's License Website

Series of missteps left personal and financial data vulnerable at Minnesota's license tab renewal Web site


When the state shut down its online license tab renewal system in April after two legislative audits discovered serious security flaws, legislators blamed department heads, department heads blamed staff, staff and investigators blamed budget cuts, and nearly everyone blamed the rush to pioneer a new convenience for Minnesota motorists.

However, a Pioneer Press review of hundreds of internal state memos found that managers, including high-level officials, knew there were problems with the system but either ignored the many red flags or were hamstrung by cost constraints.

In the end, the Driver and Vehicle Services division made ease of use a higher priority than security, never believing anyone's personal and financial data were at risk.

For the first time, interviews and state documents detail the deep divisions and bitter back-and-forth that simmered for years within the agency a part of the Department of Public Safety over the system's perceived shortcomings.

Numerous staff and top managers knew as early as 2002 of critical security problems with the site, including evidence of hacking, but ignored them or did little more than talk about possible solutions.

Responsibility for implementing and monitoring security software and protocols was dispersed among different divisions, so tasks often weren't done.

Jobs went unfilled and outside security consultants were not hired because of the state's budget deficit and belt-tightening.

Just one manager was placed on administrative leave because of an internal investigation into the matter. She resigned in August.

To date, there is no evidence that anyone's name, address, phone number, credit card information or bank account information has been stolen.

Department of Public Safety Deputy Commissioner Mary Ellison said no one intentionally ignored security.

"You enter into things under the mantra of customer services and then you realize, well, I guess this is something we should have paid more attention to," she said.

In October 2000, Driver and Vehicle Services rushed to roll out the system; it was one of the first applications of e-government in Minnesota. Officials put the cost at less than $1 million, and most of that was staff time. Its popularity grew, and by last year nearly 30 percent of renewals were done online and the system was generating revenue of $30.5 million.

At the time, Minnesota landed in the top 10 states using e-government in an annual survey by Brown University. Today, Minnesota has plummeted to 42.

During the first year of the site's operation, the legislative auditor uncovered 10 security flaws in the system and made 17 recommendations to tighten it.

Officials took action on about six of those recommendations. But other changes were not completed until this past April, just as a second legislative auditor's report was being released, according to state documents. Five problems directly related to protecting consumer information were not fixed.

Pat McCormack, director of the Driver and Vehicle Services division, and her boss, Ellison, still can't or won't say what went wrong between the two audits. McCormack said that she thought everything was fixed but that "as a nontechnical person," she wouldn't know if something was not done.

After an April legislative hearing, Ellison said she was checking to see whether any staff members lied about the work done after the first audit. Now Ellison won't comment on what was found.

Keith Steller, an information-technology consultant and network security teacher at Inver Hills Community College, said the mistake governments and some private companies make is not considering security as part of the customer-service package and ignoring warning signs. The state had the equipment, but not the policies and procedures to make it work, he said.

"How much value do you put on your data?" Steller asked. "How much does it cost to fix it now? And how do they get their reputation back? The lesson is, you should do it right the first time."

This content continues onto the next page...