Audit: Oregon agency vulnerable to cyberattacks, ignored warnings

By: - November 9, 2021 10:17 am

The Oregon Department of Consumer and Business Services needs to improve its cybersecurity, an audit found. (Julia Shumway/Oregon Capital Chronicle)

The Oregon state agency that oversees workers’ compensation and banks and investigates consumer complaints hasn’t heeded cybersecurity warnings over the past five years and remains vulnerable to attacks, state auditors found.

A review released Tuesday by the Audits Division of the Secretary of State’s office found that the Oregon Department of Consumer and Business Services has yet to implement some of the most basic cybersecurity protections mandated by Gov. Kate Brown in a 2016 executive order

“The security of Oregon’s information resources should be a top priority for all state agencies,” Secretary of State Shemia Fagan said in a statement. “DCBS should take immediate action to address the findings outlined in this report.”

DOCUMENT: Audit report

Among other issues, auditors wrote that the agency doesn’t adequately control which of its 929 employees have administrative access on their computers, and it doesn’t have procedures for terminating access when an employee leaves. Someone could theoretically gain access to a former employee’s account and then view Oregonians’ personal data.

Additionally, auditors wrote, the department doesn’t maintain an inventory of devices which can connect to its networks and software that can be used on those devices. That means that someone could use an unapproved computer to improperly connect to the department’s network, or that an employee could knowingly or unwittingly download a computer program that could result in data breaches or malware.

The department is an umbrella agency for most state divisions that deal with businesses and consumers. It contains the workers’ compensation board, Oregon Occupational Safety and Health Division, the building codes division and the division of financial regulation.

Workers in Oregon use the department to file workplace health and safety complaints and submit workers’ compensation claims. Bankers and insurance providers submit their applications for professional licenses to the department. 

The report is vague at points, and auditors said they included more details in a confidential appendix for the agency’s leaders. They wrote that this was to balance the Legislature’s need to know about systemic IT issues affecting the state with the state’s need to protect its agencies from cyber threats — basically, spelling out the weaknesses in detail in a public report could make it easier for hackers to exploit them.

The Audits Division previously informed the department of security weaknesses in a confidential report in 2016, and the state’s central Cyber Security Services followed up with warnings in a separate confidential report in 2018, the report said. 

In a reply letter included with the audit report, Andrew Stolfi, department director, wrote that his agency has not experienced any data breaches within the past five years. 

“As with any government entity, DCBS experiences many attempts to probe our external systems, but successfully identifies and stops these attempts,” Stolfi wrote. “DCBS has also uncovered and remediated hundreds of software code vulnerabilities to lower the risks of attackers exploiting our applications.”

Stolfi wrote that the department intends to respond to the audit’s findings by creating an executive oversight committee to review progress. The department doesn’t plan to finish any of its cybersecurity work until the end of 2022 at the earliest, and it will take until 2023 to review user accounts, hardware and software, he wrote.

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site.

Julia Shumway
Julia Shumway

Julia Shumway has reported on government and politics in Iowa and Nebraska, spent time at the Bend Bulletin and most recently was a legislative reporter for the Arizona Capitol Times in Phoenix. An award-winning journalist, Julia most recently reported on the tangled efforts to audit the presidential results in Arizona.