October 19, 2016 - 3:58 am
CARSON CITY — Auditors delayed release of a report detailing security vulnerabilities in state databases to protect the information of tens of thousands of current and former state employees and their beneficiaries, a legislative committee was told Tuesday.
Douglas Peterson, information systems audit supervisor, told the Legislative Audit Subcommittee it was the first time he can recall in 20 years with the state that a decision was made to withhold an audit until problems are fixed.
The audit of the Department of Administration’s Human Resource Management division revealed sensitive personal records were stored unencrypted in databases and the accounts of some former employees were not disabled, potentially allowing unauthorized access to information.
Also, computers used by division staff and some servers lacked adequate virus protection and were missing operating system security upgrades. Hard drives of photocopiers also were not being routinely erased, the audit found.
Patrick Cates, Department of Administration director, said there was no breach of sensitive information and that steps have been taken to close the security gaps.
“This audit was an eye-opener,” Cates said.
Auditors found one unprotected database contained Social Security numbers of more than 145,000 current and former state employees and their beneficiaries. They also identified 42 computer accounts of ex-employees that had not been disabled. Of those staffers, 31 left the agency more than a year ago and one had been gone almost a decade.
Human Resources Management wasn’t the only agency with computer security problems. A separate audit found similar vulnerabilities at the Nevada Department of Wildlife, where 43 laptop computers used by game wardens contained confidential, unencrypted information, including credit card numbers. Additionally, all of the department’s 17 servers lacked virus protection software, making them vulnerable to malware.
State Sen. Ben Kieckhefer, R-Reno, chairman of the subcommittee, questioned how such security lapses could occur, given that many agencies have their own information technology staff and the state has a central unit, Enterprise Information Technology Services, to coordinate information technology issues and provide support to agencies that lack designated staff.
In the case of the administration databases, Enterprise Information Technology Services support staff were unaware of a requirement to encrypt information, the audit said.
The audit also found a lack of communication between the Human Resources division and Enterprise Information Technology Services and noted the need for agreement on what technology services Enterprise Information Technology Services will provide.