Audit finds Missouri courts’ record system lacks cybersecurity safeguards

A state audit released Wednesday finds that court records in Missouri are not being thoroughly shielded from hackers and other unauthorized users.

The report states that there are potential weaknesses in the Judicial Information System, which is operated by the Office of State Courts Administrator (OSCA). It’s used to store case files, information on convictions and sentencing, and financial records.

State Auditor Nicole Galloway said potential weaknesses in the system could lead to unauthorized users tampering with data on prisoners, including sentences and release dates.

“The Office of State Courts Administrator has an obligation to ensure court information and records are handled securely and accurately, and with the responsible management of public dollars,” she said in a release. “The current system lacks necessary safeguards to identify inappropriate or unusual activity.”

The findings include:

OSCA management has not fully established procedures to periodically review user accounts and to confirm access rights are appropriate.
User accounts are not routinely reviewed to determine if they have been accessed or used in a specified period of time.
Twelve former OSCA or court employees still had access to the system after their employment ended.
Those with administrative privileges can log in and see others’ passwords.
Also, the audit found the courts administrator office has no long-range formal plan or budget in place for its information system, despite spending $218 million on the Judicial Information System.

Galloway’s recommendations include:

Periodically reviewing users’ access rights to data and other information to ensure they are appropriately in line with employees’ job duties and responsibilities
Identifying and evaluating inactive accounts
Ensuring lists of user accounts and related privileges to access the JIS are complete and accurate
Periodically providing applicable user information to the local court appointing authorities for review
Implementing procedures for the timely removal of user accounts and related access privileges upon employee termination
Investigating system changes to strengthen password controls, to reduce the risk of password compromise, and to help prevent unauthorized access. In addition, discontinue maintaining a centralized list of passwords
In a written response, the Office of State Courts Administrators said, in part.


. . . . . . . .

Leave a Reply