Audit Report: Minnesota's Computers Vulnerable to Data Theft

Investigation points to personal data that is vulnerable to loss, tampering, unauthorized disclosure

Minnesotans' personal information stored on the state's large, mainframe computers — including tax return information and bank account numbers — is at risk of being stolen, the Legislative Auditor said Wednesday.

An audit conducted in October exposed a variety of vulnerabilities in the computers, including a lack of basic security features such as eliminating passwords for former employees.

The investigation was the latest of three security audits since 2000 that found that, despite some recent improvements, personal information held by the state is "still vulnerable to loss, tampering and unauthorized disclosure."

October's audit found no evidence that computer hackers or state employees have stolen any of that data. But the auditors did not look for that kind of evidence, and one of the chief investigators for the auditing team said a disgruntled employee could download information from the system into a portable storage device without detection.

As part of the audit, the investigators performed such a download to prove that it could be done, said Chris Buse, information technology audit manager. No personal information was compromised in the test, he said.

Legislative Auditor Jim Nobles told a House-Senate commission that his staff found many shortcomings in the state's security practices for big mainframe computers in the state's main data center that store drivers' license information, process tax returns and maintain eligibility data on Minnesotans who receive welfare payments or state-subsidized health care.

Most of the audit focused on the potential for a few thousand state employees or subcontractors with access to the computer systems to misuse their passwords and, from their offices or homes, penetrate databases beyond their job responsibilities.

The audit also found a few ways outside hackers could enter the systems. "There are avenues of access that people can find, and they don't have to be inside the system," Nobles said.

The problems within the state system are not uncommon for companies with large computer systems, but their wide scope troubled one corporate security expert.

"If I was a person sitting in my chair at home, I'd be pretty alarmed," said Rick Greenwood, the chief technology officer at Roseville-based Shavlik Technologies, a company that sells software that helps large companies patch and protect their networks from computer viruses and worms.

The state of the art for computer security is constantly changing, but some of the problems uncovered — such as leaving passwords unchanged after an employee stops working for the state — were particularly troubling, Greenwood said.

The problems with managing passwords were fixed as soon as they were pointed out, said Steve Stedman, the state's chief technology officer.

However, the state still has no automated way of turning off passwords after a worker leaves the state's employ, so there's a lag, he said.

Gopal Khanna, who was hired as Minnesota's chief information officer last summer, said he assumes hackers routinely try to break into the state's computers. But he said he knew of no instances in which computer surveillance systems detected successful intrusions.

Minnesota's Web-based vehicle license tab renewal system was shut down in April after another legislative audit found security shortcomings.

"While we may disagree with the magnitude of actual risk involved with some of the audit findings and recommendations at a detail level, we accept that the major thrust of the Office of Legislative Auditor report is, on the whole, an accurate assessment," Khanna said.

Khanna said he is moving toward hiring a high-level chief information security officer to oversee access to all the state's computer systems, and that he is preparing an action plan on information security that he will present to state officials by the end of January.

Khanna emphasized that his office takes the security questions seriously and is studying ways to safeguard not just the mainframe computers but the state's sprawling network of servers.

This content continues onto the next page...