Lax security left employees’ data vulnerable

By Aaron Gould Sheinin

The Atlanta Journal-Constitution

An audit of state government’s accounting office found lax computer security that left thousands of state employees’ personal information vulnerable to theft by hackers.

No evidence was found that personal and financial information was stolen, according to the audit, released last week. But the report noted that weaknesses in the system allowed investigators to “gain full access to servers, databases and information.”

The review of the State Accounting Office’s information systems “revealed significant deficiencies in the protection of sensitive information and critical computer systems,” the Department of Audits and Accounts’ report says.

State Accounting Office officials did not return repeated messages for comment on the audit. The agency has already addressed many of the problems, however, according to its written response to the audit’s results.

Russell Hinton, the state auditor, said Wednesday while no evidence of fraud or loss of data was found, “we found some fairly significant control issues that [the Georgia Technology Authority] and the State Accounting Office are in the process of addressing.”

But John Thorton, director of the audit department’s state government division, said his team continues to review whether the security deficiencies led to improper spending.

“Anytime someone could access the system who was not authorized to do so, it increases the risk that some unauthorized transactions could have occurred,” Thorton said. “Work is still ongoing.”

The State Accounting Office manages the human resources systems for 185 state agencies and colleges through the PeopleSoft Financials and PeopleSoft Human Capital Management programs. Those systems provide accounting, purchasing, labor distribution, asset management, human resources, personnel administration and payroll processes to the majority of state government. The Georgia Technology Authority provides tech support for the systems.

The audit examined 15 areas and found that three were “high” risk areas, meaning “an immediate risk, directly impacting the confidentiality, integrity or availability of systems,” the report says. The rating also means the agency might not know if its system were attacked.

Five more areas were rated as “medium” risks, which could affect confidentiality and integrity of the system. The final seven areas were rated as low risks.

The high-risk problems largely involved inadequate encryption of confidential information, passwords or access keys. Some former employees and retirees from the State Accounting Office improperly retained access to internal systems; employees were often able to access information beyond their clearance level; and passwords were sometimes set to default or not changed according to policies.

While the report found serious security issues, one computer security expert said the real story is how common these types of deficiencies are. Detmar Straub, a professor of computer information systems at Georgia State University, said in an e-mail that “these deficiencies are not that unusual. Many, many organizations have lax security. Both public and private sector organizations suffer in this regard.”

The problem, Straub said, is that many organizations see information security as a “overhead and thus a drain on organizational resources.” Few organizational leaders, he wrote, “appreciate the true value of information security, or better put, the balancing of risk, costs, productivity and security measures.”