April 19, 2005
St. Paul, Minn. — More than 350,000 Minnesotans renewed their license tabs online last year. The legislative auditor's report concludes that lax security put their private data at risk. Chris Buse, who led the audit, says auditors were able to hack into the system without being detected.
"We didn't find it very difficult," according to Buse, who says there's no way to determine if hackers did the same thing, because the Department of Public Safety wasn't monitoring the system to track attempts to break into it. He says he used the site himself to renew his tabs, and now worries if his personal data was compromised.
"I'm uncomfortable. I saw the details that weren't released in the public document, and I'm definitely uncomfortable," he says.
State officials say there's no evidence to indicate that the system was hacked into. Public Safety Deputy Commissioner Mary Ellison says the Web site has processed more than a million transactions since 2001.
"We're very concerned about security. We're taking this report very seriously, but there is really no evidence that there was any breach of security," she says.
Ellison says her agency will have to spend some money to improve its security system. The department plans to hire four people to work on the issue, and is upgrading firewalls and taking other steps to fix the problems outlined in the auditor's report.
The report links the problems to budget cuts, noting that the only person working in public safety's information security unit quit last August and wasn't replaced.
Gov. Pawlenty rejects the idea that budget cuts are to blame.
"It is not a budget issue. It's a technology issue, and again, the system was put up in 2001, it's now four years old, and it needs to be upgraded," he says.
Pawlenty notes that the Web site was started during Gov. Ventura's administration, and was one of the early attempts at e-government. Public Safety's Ellison says the goal was to provide better service for consumers.
"And sometimes in the speed of trying to provide service, we may overlook some things, and we're not going to make that mistake in the future," Ellison says.
Ellison says the Web site will remain down until the security problems have been fixed. Some lawmakers say they want assurances that private data will be protected on this and other state websites.
The chair of the Legislative Audit Commission, DFL Sen. Ann Rest of New Hope, says she's amazed by the number of security weaknesses the audit discovered.
"This colossal failure has, I think, undermined public confidence in all of the technology systems that collect private data that are operated by the state and we need to take some action quickly," says Rest.
Rest says she supports legislation to require state agencies to contact consumers when their personal data is compromised. Legislation has already been introduced to require private companies to do so, in the wake of high-profile security breaches at ChoicePoint and NexisLexis.
Rest and other lawmakers say the situation also shows that agencies can't run e-government services on the cheap, and will have to spend the necessary resources to protect public data.