BOSTON – State auditors have again found that an agency is not doing enough to defend sensitive data from cyberattacks, this time faulting the Department of Transitional Assistance for substandard data and information security.
The audit did not detail instances in which sensitive data had been compromised, but Auditor Suzanne Bump’s office found that DTA “did not have a tested incident response plan,” “did not assess and document third-party vendor risks,” and “did not revoke terminated employees’ access to one of its systems in a timely manner.”
The review covered the agency’s information technology policies, training programs, password parameters, incident response procedures, and management of third-party risks from July 1, 2018 through June 30, 2019.
The audit found that DTA did not quickly revoke access to its Benefit Eligibility and Control Online Network (BEACON) system for terminated employees, and in some cases, terminated employees had access to the system for up to 23 days after leaving the agency. Bump’s office said that “increases the risk that terminated employees could extract personally identifiable information (PII) from the system.”
During fiscal year 2019, DTA had roughly 1,630 employees and its primary role was to administer programs that get both federal and state funding: the Supplemental Nutrition Assistance Program, Transitional Aid to Families with Dependent Children, Emergency Aid to the Elderly, Disabled and Children, and Supplemental Security Income. The agency said it serves one out of every nine Massachusetts residents.
DTA told Bump’s office that it “relies on managers to manually notify DTA’s information technology (IT) security team of employee terminations, and this was not always done in a timely manner.” The agency said it agrees with the auditor’s recommendation that it begin automatic notification to the IT security team when an employee is fired. Bump said her office is satisfied that “DTA has taken measures to address our concerns in this area.”
“The Department of Transitional Assistance provides critical support to some of our state’s most vulnerable low-income residents. However, inappropriate disclosure of sensitive information about these clients could make their already difficult situations much worse. DTA must do more to protect this information,” Bump said in a statement. “I’m encouraged by its responses and hope it takes swift action to fully implement our audit recommendations.”
Bump’s office said the audit report it released publicly does not include all of the issues it identified at DTA. Auditors “identified an issue that has been omitted from this report in accordance with … (a public records law), which requires the withholding of certain records, including security measures or any other records related to cybersecurity or other infrastructure, if their disclosure is likely to jeopardize public safety or cybersecurity.” DTA was made aware of the issue and was given a complete copy of the audit report, Bump’s office said.
The DTA audit came on the heels of a similar inquiry that led Bump’s office to declare that the state Department of Revenue “was not prepared to respond to or mitigate cyberattacks it or its vendors face” and “did not have procedures in place to guide its response to IT security incidents.”
“The whole infrastructure for data security was missing at the Department of Revenue,” Bump said.
Cybersecurity has been a recent point of emphasis for state and municipal officials because of the widespread shift to doing business over the internet and the recent spate of incidents in which cybercriminals have sought to extort cities and towns by inappropriately gaining access to municipal files.
Through an effort backed by $300,000 in funding managed by the MassCyberCenter at the MassTech Collaborative, the state is hoping to help each of the state’s 351 cities and towns bolster their cybersecurity readiness. Gov. Charlie Baker has also ramped up attention on cybersecurity matters and has been pressing lawmakers to approve the $1.15 billion information technology bond bill he filed in April.
The borrowing bill (H 3687) would authorize $600 million in spending on information technology infrastructure that the administration said would “help fortify the Commonwealth’s defenses and against cyber attacks” and improve residents’ ability to interact digitally with government, including for health care, housing and other services. Among the projects to be funded is a new $135 million “Security Operations Center.”
In the fall, Baker said he would have liked to have seen the Legislature pass the bond bill before it recessed for the holidays, but he said it is imperative that it get done by July. At a hearing on that bill, Baker’s cybersecurity chief told lawmakers that the state’s cyber infrastructure is constantly being pinged for weaknesses.
“Every day, we have attacks,” Secretary of Technology Services and Security Curtis Wood said in September. “I will say as of today on a daily basis we receive about 525 million probes a day from foreign soil.”
Baker’s bill has been redrafted and advanced by the State Administration and Regulatory Oversight Committee and the House Committee on Bonding, Capital Expenditures and State Assets. The latest version (H 4154) is pending before the House Ways and Means Committee.