Minnesotans' personal information stored on the state's large, mainframe computers — including tax return information and bank account numbers — is at risk of being stolen, the Legislative Auditor said Wednesday.
An audit conducted in October exposed a variety of vulnerabilities in the computers, including a lack of basic security features such as eliminating passwords for former employees.
The investigation was the latest of three security audits since 2000 that found that, despite some recent improvements, personal information held by the state is "still vulnerable to loss, tampering and unauthorized disclosure."
October's audit found no evidence that computer hackers or state employees have stolen any of that data. But the auditors did not look for that kind of evidence, and one of the chief investigators for the auditing team said a disgruntled employee could download information from the system into a portable storage device without detection.
As part of the audit, the investigators performed such a download to prove that it could be done, said Chris Buse, information technology audit manager. No personal information was compromised in the test, he said.
Legislative Auditor Jim Nobles told a House-Senate commission that his staff found many shortcomings in the state's security practices for big mainframe computers in the state's main data center that store drivers' license information, process tax returns and maintain eligibility data on Minnesotans who receive welfare payments or state-subsidized health care.
Most of the audit focused on the potential for a few thousand state employees or subcontractors with access to the computer systems to misuse their passwords and, from their offices or homes, penetrate databases beyond their job responsibilities.
The audit also found a few ways outside hackers could enter the systems. "There are avenues of access that people can find, and they don't have to be inside the system," Nobles said.
The problems within the state system are not uncommon for companies with large computer systems, but their wide scope troubled one corporate security expert.
"If I was a person sitting in my chair at home, I'd be pretty alarmed," said Rick Greenwood, the chief technology officer at Roseville-based Shavlik Technologies, a company that sells software that helps large companies patch and protect their networks from computer viruses and worms.
The state of the art for computer security is constantly changing, but some of the problems uncovered — such as leaving passwords unchanged after an employee stops working for the state — were particularly troubling, Greenwood said.
The problems with managing passwords were fixed as soon as they were pointed out, said Steve Stedman, the state's chief technology officer.
However, the state still has no automated way of turning off passwords after a worker leaves the state's employ, so there's a lag, he said.
Gopal Khanna, who was hired as Minnesota's chief information officer last summer, said he assumes hackers routinely try to break into the state's computers. But he said he knew of no instances in which computer surveillance systems detected successful intrusions.
Minnesota's Web-based vehicle license tab renewal system was shut down in April after another legislative audit found security shortcomings.
"While we may disagree with the magnitude of actual risk involved with some of the audit findings and recommendations at a detail level, we accept that the major thrust of the Office of Legislative Auditor report is, on the whole, an accurate assessment," Khanna said.
Khanna said he is moving toward hiring a high-level chief information security officer to oversee access to all the state's computer systems, and that he is preparing an action plan on information security that he will present to state officials by the end of January.
Khanna emphasized that his office takes the security questions seriously and is studying ways to safeguard not just the mainframe computers but the state's sprawling network of servers.
Nobles and Buse warned legislators Wednesday that they will have to be prepared to pay more, particularly in salaries for information security experts, to safeguard computerized data.
State Sen. Claire Robling, R-Jordan, one of the legislators who received Nobles' report, said the problems detailed in the audit are serious, even though there have been no proven examples of data theft.
"Our systems are not very secure," Robling said. The report issued Wednesday — available at www.auditor.leg.state.mn.us — says some recommendations for security improvements made in 2000 and 2002 have not been acted on by state officials.
The report offers a general description of security problems that the audit staff reported in much greater detail in private documents delivered to state information technology officials. Auditors kept the information private so it would not provide a roadmap to hackers on how to compromise the state computers.
Problems cited in the most recent audit report include:
• Too many state employees have security clearances that give them wide access across multiple state computer systems.
• Too many employees are allowed physical access to mainframe computers.
• Some computer accounts allow users access to data without passwords, and software programs that require passwords to be changed regularly are sometimes bypassed.
• State employees working from home receive unencrypted data, making it easier for hackers to steal.
In at least one case, did not change the default password supplied with a software product wasn't changed, leaving the software accessible to hackers.
Buse said it is not possible for state officials to shut down most of the computer systems at risk, as they had with the online license tab renewal system.
"The guts of government run on these machines," he said of the mainframe computers, " and there are not alternative manual processes to fall back on."
