BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Employment Dept. computers still vulnerable a year after breach

From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 6 Jan 2016 17:19:11 -0600
http://portlandtribune.com/pt/9-news/287226-164243-brown-replaces-employment-department-director-after-critcal-audit

Computer systems at the Oregon Employment Department remain vulnerable more
than a year after a major data breach at the agency, according to a state
audit released this week.

State employees have taken steps to tighten the Employment Department’s
cyber security, but auditors found that problems remain. These include a
lack of control and tracking of which state employees can access data, and
ongoing security flaws at the state data center where the Employment
Department systems are housed.

The data breach at the Employment Department in October 2014 affected more
than 800,000 people. An anonymous tip alerted the state that hackers had
accessed information including names, addresses and social security numbers
of people who were looking for work. People who received unemployment
insurance also received notices they might be affected.

Many of the problems cited in the audit stem from the Employment
Department’s use of mainframe computer programs from the 1990s, housed at
the Department of Administrative Services’ state data center. The agency
started the process to replace the systems, which it uses to collect
employment taxes and disburse benefits, but it will take a decade to
complete, said Legislative and Public Affairs Manager Andrea Fogue. By
then, the systems will be at least 30 years old. As a result, employees
have to do a lot of work manually.

“It is a long, ongoing process so it’s happening as quickly as it can,”
Fogue said.

State employees also lack a complete understanding of the systems’ security
functions, because of poor documentation over the years, auditors wrote.
Auditors found the Employment Department and Department of Administrative
Services have not done enough to protect confidential information from
inside the organization, by restricting access to certain high-level
employees and monitoring their actions.

Old computer systems have prevented the Employment Department from fixing
security flaws on its website that put Oregonians at risk of what is known
as a “man in the middle” attack. As of Wednesday morning, the Employment
Department portal where people can file claims for unemployment insurance
was still using the encryption protocol TLS 1.0 that has been known to be
vulnerable for years.

Fogue said earlier this year that IT employees had taken additional steps
to encrypt the sensitive information entered on the website, so even if an
attacker intercepted the information, “it would take years” to decipher.
The EO Media Group/Pamplin Media Group Capital Bureau first reported on the
security weaknesses on websites operated by the Employment Department and
other state agencies in April.

In a written response to the audit, Employment Department Director Lisa
Nisenfeld wrote that the agency has already started to implement some of
the auditors’ recommendations. However, Nisenfeld wrote that some of the
suggestions — such as strictly limiting which employees can access certain
data — cannot be implemented until a new system is in place.

Auditors wrote that computer systems should employ “a complex and
multi-layered” security system to defend against hackers, but stopped short
of saying whether the Employment Department systems met that goal. They
did, however, refer to the findings of an audit of the state data center
earlier this year which also apply to the Employment Department systems at
the facility. That audit found that state data center employees never
implemented many of the security strategies planned when the facility
opened in 2006, and they ignored repeated findings of security shortfalls
in half a dozen state audits and a private consultant’s report.

The computer systems also handle a lot of money: in 2014, the state
collected $1 billion in employment taxes and paid out $625 million in
unemployment insurance benefits, according to auditors.

The Employment Department had also been skipping an important step that
could detect unemployment tax return errors, according to auditors. That
crucial report could help the state detect when employers over or under
report taxable wages. Auditors found that roughly 4,400 employers might
have underpaid their taxes by as much as $2.9 million in 2014, or 0.4
percent of total taxes collected. At the same time, other employers
overpaid their taxes by nearly $850,000.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: