Missing Security at Minnesota Driver's License Website

Series of missteps left personal and financial data vulnerable at Minnesota's license tab renewal Web site

Wisconsin, for example, seems to have gotten it right. The state put its license renewal system online in 1990 and established a firm firewall and scrambled the charge card numbers as part of its security system, said Candy Dyhr, financial management supervisor for the Wisconsin Department of Transportation's division of motor vehicles.

The system was audited twice by the Wisconsin Bureau of Audit, which found no problems, Dyhr said.

Minnesota now hopes to have its system back up by later this fall at a cost of $1.1 million. McCormack said she is not certain if any money would have been saved along the way. With constantly changing technology, more upgrades would be needed by now, she said.

There were many missed opportunities along the way to bulk up security.

Daren Mehl, then a St. Paul resident and computer technology specialist for a bank, first warned the division by e-ail in February 2003 that even the mildly computer-savvy could get in and steal the private financial data of anyone who renewed license tabs. He busted into the system himself and left proof he had been there.

Nobody took him seriously, he said. All he received was a generic response that the site was secure but for technical reasons it couldn't display the padlock icon that normally appears somewhere along the edges of the Web browser. Such a symbol is supposed to indicate that intruders can't access any information that users are asked to supply.

"I told all my friends to stay away from it," he said. "I can't believe they weren't hacked."

Mehl was one of hundreds who complained. Robert Bennett, who at the time was a state information security officer, took user complaints and warnings seriously. In late 2002, he fired off an e-ail to a department head questioning whether the site could continue successfully "should the trust in the electronic system which we know is not secure falter from where it even is now."

Bennett said he and Janet Cain, the department's chief information officer, pushed for hiring an outside company in 2001 and 2002 to scan the system for holes and weaknesses.

"We never received budget approval," he said.

By early 2003, McCormack, the division's director, and others again discussed hiring an outside firm. One company offered its service for $1,000 and offered to waive the fee entirely if it failed to find any security vulnerabilities. Ultimately, no one was hired and the work was not done.

"We had some changes in personnel that were going on, and the ball got dropped," McCormack said. "I'm not going to make any excuses for the fact that it should have been addressed I certainly would say I should have been one of the ones to ensure that we tried to keep moving on that. "

Even without outside help, other red flags could have been heeded. The Driver and Vehicle Services computer system had software that recorded when hackers were trying to illegally break into the computer, said Chris Buse of the Legislative Auditor's Office. However, no employee was responsible for checking the log daily, according to the first audit.

Marc Klein, public safety's network operations manager, wrote in a May 22, 2001, e-mail that he would have someone hired by Jan. 1, 2002, to review the computer logs. That didn't happen, according to the second audit, and the logs were sometimes checked days after someone might have jiggled the handle, looking for an unlocked door into the system.

Klein turned down repeated requests for an interview.

However, Cain said Klein hired two security specialists in succession, but each left the job after just a few weeks, and then it was left vacant.

"I don't know if they looked into those logs because they may not have been the highest priority," Cain said.

Resources must be thrown at intruder prevention, Steller said. At the least, a security engineer should have been assigned to spend four hours a day reviewing the logs, he said.

With no centralized technology branch, the public safety department allowed its various divisions, such as the Bureau of Criminal Apprehension and Driver and Vehicle Services, to control their own computer systems.

The result was that computer-safety experts could make recommendations but not enforce them. For example, Bennett worked for the Department of Public Safety and received many of the complaints and warnings about the online renewal process, but he had no authority to order changes.