State auditors were able to access confidential information when testing cybersecurity at the Arizona Department of Economic Security, revealing vulnerabilities that could have put residents’ personal information at risk.
More than 2 million Arizonans have submitted information such as Social Security numbers, health information and federal tax information to the department, which oversees more than 40 programs such as food assistance, unemployment benefits and adult protective services.
An Arizona Auditor General’s report documenting the shortcomings landed on state lawmakers and Gov. Doug Ducey’s desk this week.
Among the findings were a lack of staff training and outdated software that left the department at a high risk of data breaches and other security vulnerabilities. The report suggests high employee turnover likely compounded problems. Economic Security Director Tim Jeffries, who was forced to resign last year, had fired 428 employees during his nearly two-year tenure.
Ducey’s staff would not comment on audit specifics as they review the report, Deputy Chief of Staff David Scarpinato said. He said the Governor’s Office is taking a comprehensive look at computer needs throughout state government.
Online security breaches can be costly. The Maricopa County Community College District paid more than $26 million as of 2014 after a breach compromised the personal information of more than 2 million people a year earlier. In 2012, hackers breached Utah’s Department of Health and accessed over 780,000 records, which has cost that state over $4 million so far.
DES did not face any known hacks despite the lax system, according to Performance Audit Manager Dot Reinhard.
She said auditors shared problems as they were uncovered so department staff could implement fixes.
A DES spokesperson on Wednesday said no one has been fired or reprimanded following the audit.
Auditors hack system
The State Auditor General’s Office has been conducting IT performance reviews for more than 10 years, Reinhard said.
The DES audit, which took place over nine months, was part of a routine review.
As part of their work, auditors simulated attacks that hackers commonly use to test DES security. Each type of attack succeeded. At one point, the auditors gained access to records for an estimated 100,000 people, according to the report.
In one test attack, auditors gained access to “control all network user accounts, including accounts with high-level access.” They were able to “to view, alter or delete confidential health information and other sensitive data, including client Social Security numbers, names and addresses.”
The tests also uncovered a lack of proper monitoring by DES’s informational technology department. Although IT staff knew auditors were there, they were unable to detect the breach.
Servers lack security updates
Part of routine IT security is making sure all network equipment is updated to protect against malware, a software designed to damage computers, gather data and facilitate a system breach.
Frequent updates are critical as researchers discovered 430 new types of malware in 2015 alone, according to cybersecurity company Symantec.
Auditors found 47 percent of the 752 DES servers they reviewed did not have regular security updates and patches installed. Some of those updates had been available for several years.
Auditors say 63 percent of the servers had critical or high security vulnerabilities, some dating back to 1999.
Policy and training issues
The report repeatedly highlighted a lack of information technology staff training and policies, such as what to do in the case of a data breach.
For example, the IT policy is to classify data as public data or confidential data but it wasn’t used.
In 2006, DES hired a chief information security officer to guide the department’s IT staff. However, it wasn’t until 2015 that the scope and details of the job were properly elaborated. A DES spokesperson told The Republic that different people have served in that role during the nine-year span.
Auditors interviewed three IT staff members who said they were “unfamiliar” with policies created by the chief information security officer’s team that pertained to the staffer’s responsibilities, and they didn’t recall the chief enforcing information security policies.
Auditors also discovered:
Employees who may have been terminated were not purged from the system and still could have accessed the network.
Many passwords were unchanged the past 30 days, despite DES policy. Some passwords weren’t changed for more than a year.
The auditors made a litany of recommendations for DES and the agency agreed with every single one. They included:
improving vulnerability assessments.
improving update and patch management.
establishing a continuous monitoring program for critical IT activities.
securing and testing web-based applications.
establishing a written plan for developing and implementing a department-wide information security program.
further define IT roles and authority.
develop and implement policies on data classification, incident response and security awareness education and training.
DES has already begun to implement the recommendations, such as more frequent server scans, implementing new policies and increased training.
DES plans to have 44 percent of the recommendations implemented within the next 60 days, DES spokesman Brett Bezio said. A handful of others will be implemented in June, August and December. No timeline has been set on implementing two recommendations, Bezio said.
Auditors will return in six months to check the department’s progress in making changes, Reinhard said.