Colorado Division of Motor Vehicles cited in audit report
Technorati Tag: Security Breach
Date Reported:
7/9/08
Organization:
State of Colorado
Contractor/Consultant/Branch:
Department of Revenue
Division of Motor Vehicles
Victims:
Residents
Number Affected:
~3,400,000
Types of Data:
"names, addresses, dates of birth and Social Security numbers"
Breach Description:
"The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing."
Reference URL:
The Denver Post
Report of The State Auditor, Driver's License and Identification (ID) Card Security
Report Credit:
Jessica Fender, The Denver Post - Brought to the attention of The Breach Blog by an informed reader.
Response:
From the online source cited above:
The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing.
The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit.
[Evan] The audit report is here.
At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers — some workers more than a year after their departure
Revenue Department leaders who oversee the division say they are working to hire internal watchdogs and build up their technological defenses.
[Evan] This is putting the cart before the horse. After reading some of the audit results it is clear to me that there is no information security strategy, no effective information security management, and no formal information security program. These administrative issues need to be addressed well before "technological defenses" should be. Addressing "technological defenses" first is often times wasteful and disjointed.
But the state, facing a budget shortfall, will have no additional money in the foreseeable future for new computer systems.
[Evan] Then get creative! No or little money is a poor excuse for not doing the right thing. Many times, we find that an organization actually saves money through effective information security management. Fix the administrative issues and formalize the information security program first. I don't know much about the Colorado state government, but I do know that other state governments are wasteful and disorganized. Information security, when aligned with organizational goals and objectives (not IT) can help organize and cut waste.
Cyber security alone is a $1.5 million problem that will be tough to solve, said Roxy Huber, Revenue Department executive director.
[Evan] I wonder where the $1.5 million dollar figure comes from. We can secure a heckuva lot of infrastructure (and information) with that kind of money. I get a kick out of "Cyber security".
"To tell you that I'm going to have the tools to do what I need to do, I don't know where they're going to come from," Huber said. "But we will continue to do the best with the tools that we have."
[Evan] Where do I start with this comment? The first tool to use is the one between your ears.
Colorado ranks eighth in the nation in identity-theft complaints per person and first in the nation when it comes to general fraud reports.
[Evan] This should tell you something! It is even more troubling if your own state government contributes to the problem.
On average, those frauds cost victims $4,041 each for a total of $41.3 million in 2007
Auditors said the DMV's method for handling sensitive information was "fragmented, disorganized and poorly planned,"
[Evan] Yeah, ya think?
No one person is responsible for security
[Evan] Or is it no one is responsible for security?
High turnover - 60 percent of entry-level workers leave during their first year - and low, $26,280-a-year starting salaries make fraud more attractive and management more difficult, DMV officials said.
[Evan] This is another problem that contributes significantly to the risk.
While employees have been caught issuing hundreds of fraudulent licenses, there are no known instances of identity theft or information security breaches, said Department of Revenue spokesman Mark Couch.
[Evan] Come on. Not that we know of anyway. Don't you think that the risk is much higher if a person has already demonstrated that he/she is willing to step over the line?
"It's not like we have a completely defenseless system," Couch said. The audit "says that we need to take more steps."
[Evan] Not completely defenseless, but like protecting a bicycle with a rope.
"Without the appropriate resources, there's no way we can hold you accountable for doing some of the things you're expected to do," said Sen. Nancy Spence, R-Centennial.
[Evan] This kind of talk does not help the cause and does little to serve constituents. I am not close to this issue, but so many of the things I have read about this breach point to mismanagement more than a lack of appropriate resources.
Some problems already have been fixed.
The 33 former employees with database access immediately had their passwords deactivated once auditors identified them, and the DMV now compiles monthly lists of departed workers to prevent future lapses
The division has a long-standing policy of redacting the last four digits of Social Security numbers before they're transmitted, and the division plans to encrypt all transmitted information by June 2009.
[Evan] What? A year? This exposure is now public knowledge and will continue for a year?
Commentary:
Due to the fact that I was a little more critical in my comments above, I should express that these are my opinions and beliefs based on my experiences and knowledge. Take the comments for what they are worth.
There seems like there is a lot of work that needs to be done at the Colorado Department of Revenue and Division of Motor Vehicles. The work must start at the top. Somebody needs to step up and fill the role as the "person responsible for security".
Past Breaches:
State of Colorado:
April, 2008 - CollegeInvest external hard drive goes missing
Date Reported:7/9/08
Organization:
State of Colorado
Contractor/Consultant/Branch:
Department of Revenue
Division of Motor Vehicles
Victims:
Residents
Number Affected:
~3,400,000
Types of Data:
"names, addresses, dates of birth and Social Security numbers"
Breach Description:
"The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing."
Reference URL:
The Denver Post
Report of The State Auditor, Driver's License and Identification (ID) Card Security
Report Credit:
Jessica Fender, The Denver Post - Brought to the attention of The Breach Blog by an informed reader.
Response:
From the online source cited above:
The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing.
The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit.
[Evan] The audit report is here.
At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers — some workers more than a year after their departure
Revenue Department leaders who oversee the division say they are working to hire internal watchdogs and build up their technological defenses.
[Evan] This is putting the cart before the horse. After reading some of the audit results it is clear to me that there is no information security strategy, no effective information security management, and no formal information security program. These administrative issues need to be addressed well before "technological defenses" should be. Addressing "technological defenses" first is often times wasteful and disjointed.
But the state, facing a budget shortfall, will have no additional money in the foreseeable future for new computer systems.
[Evan] Then get creative! No or little money is a poor excuse for not doing the right thing. Many times, we find that an organization actually saves money through effective information security management. Fix the administrative issues and formalize the information security program first. I don't know much about the Colorado state government, but I do know that other state governments are wasteful and disorganized. Information security, when aligned with organizational goals and objectives (not IT) can help organize and cut waste.
Cyber security alone is a $1.5 million problem that will be tough to solve, said Roxy Huber, Revenue Department executive director.
[Evan] I wonder where the $1.5 million dollar figure comes from. We can secure a heckuva lot of infrastructure (and information) with that kind of money. I get a kick out of "Cyber security".
"To tell you that I'm going to have the tools to do what I need to do, I don't know where they're going to come from," Huber said. "But we will continue to do the best with the tools that we have."
[Evan] Where do I start with this comment? The first tool to use is the one between your ears.
Colorado ranks eighth in the nation in identity-theft complaints per person and first in the nation when it comes to general fraud reports.
[Evan] This should tell you something! It is even more troubling if your own state government contributes to the problem.
On average, those frauds cost victims $4,041 each for a total of $41.3 million in 2007
Auditors said the DMV's method for handling sensitive information was "fragmented, disorganized and poorly planned,"
[Evan] Yeah, ya think?
No one person is responsible for security
[Evan] Or is it no one is responsible for security?
High turnover - 60 percent of entry-level workers leave during their first year - and low, $26,280-a-year starting salaries make fraud more attractive and management more difficult, DMV officials said.
[Evan] This is another problem that contributes significantly to the risk.
While employees have been caught issuing hundreds of fraudulent licenses, there are no known instances of identity theft or information security breaches, said Department of Revenue spokesman Mark Couch.
[Evan] Come on. Not that we know of anyway. Don't you think that the risk is much higher if a person has already demonstrated that he/she is willing to step over the line?
"It's not like we have a completely defenseless system," Couch said. The audit "says that we need to take more steps."
[Evan] Not completely defenseless, but like protecting a bicycle with a rope.
"Without the appropriate resources, there's no way we can hold you accountable for doing some of the things you're expected to do," said Sen. Nancy Spence, R-Centennial.
[Evan] This kind of talk does not help the cause and does little to serve constituents. I am not close to this issue, but so many of the things I have read about this breach point to mismanagement more than a lack of appropriate resources.
Some problems already have been fixed.
The 33 former employees with database access immediately had their passwords deactivated once auditors identified them, and the DMV now compiles monthly lists of departed workers to prevent future lapses
The division has a long-standing policy of redacting the last four digits of Social Security numbers before they're transmitted, and the division plans to encrypt all transmitted information by June 2009.
[Evan] What? A year? This exposure is now public knowledge and will continue for a year?
Commentary:
Due to the fact that I was a little more critical in my comments above, I should express that these are my opinions and beliefs based on my experiences and knowledge. Take the comments for what they are worth.
There seems like there is a lot of work that needs to be done at the Colorado Department of Revenue and Division of Motor Vehicles. The work must start at the top. Somebody needs to step up and fill the role as the "person responsible for security".
Past Breaches:
State of Colorado:
April, 2008 - CollegeInvest external hard drive goes missing
Posts Atom 1.0
Comments