BOSTON (SHNS) – The state auditor has determined that the Department of Revenue has not done enough to defend sensitive taxpayer data like Social Security numbers and payment histories from cyberattacks, and the agency is working to bolster its strategic planning and training.
The audit did not unearth new instances in which sensitive data had been compromised, but Auditor Suzanne Bump’s office found that DOR “was not prepared to respond to or mitigate cyberattacks it or its vendors face” and “did not have procedures in place to guide its response to IT security incidents.”
The review covered the department’s IT and security-related activities from July 2016 through 2018.
Specifically, the audit found that DOR had not established an IT strategy committee, had not entered into an intergovernmental agreement with the Executive Office of Technology Services and Security for added cybersecurity support, lacked documentation of incident response procedures, and did not properly assess the risks associated with third-party vendors.
“The whole infrastructure for data security was missing at the Department of Revenue,” Bump said in an interview that aired Sunday morning on WCVB’s “On The Record.”
Bump said that DOR must do everything it can to protect taxpayer data from misuse, especially because it is information that taxpayers must provide to the state.
“Taxpayers have no choice but to provide this information to DOR, so it has a responsibility to do everything it can to keep it safe. If this information was improperly disclosed by the agency or one of its vendors, it could wreak havoc on the lives of millions of Bay State residents,” Bump said in a statement. “In recent years, we’ve seen what can happen when DOR does not properly protect this information. It is my hope this audit will lead to action at the agency.”
DOR said it takes steps to safeguard taxpayer data. Among those steps is real-time monitoring of all traffic in and out of its system to block threats and prevent unsecured disclosure of sensitive information. The audit’s findings have already spurred DOR to take action, as Bump’s office noted in its audit report.
“DOR is committed to ensuring information security and has already taken steps to address findings in this audit including developing new policies and procedures, and forming work groups to evaluate risks and compliance,” Patrick Marvin, a spokesman for the Executive Office of Administration and Finance, said. “The audit found procedural and documentation shortcomings only and did not find any instances of personal data being exposed or used inappropriately.”
DOR told auditors from Bump’s office that it will work with EOTSS to establish a “governance, risk and compliance” committee that will meet at least annually, and is revising its incident response policy and incident response plan to include dry runs and drills. The department also said that an agreement between it and EOTSS “is currently being updated.”
In her segment on WCVB on Sunday and in a press release announcing the audit Monday, Bump noted that DOR dealt with “a series of incidents that inappropriately exposed sensitive data” during the audit period. She specifically mentioned a data breach at DOR that made the private information of 39,000 business taxpayers visible to other firms, the department’s failure to deliver timely child support payments to about 1,500 parents, and a DOR error that led to the personal information of thousands of child support payers being sent to companies other than those that employed the payers.
“Thirty-nine thousand companies had their business and tax information exposed and then there were 6,100 misdirected child support enforcement notices,” Bump said on WCVB. “In all of those instances, people had their information exposed.”
Bump’s audit comes at a time when state and municipal officials have been forced to pay more attention to cybersecurity because of the widespread shift to doing business over the internet and the recent spate of incidents in which cybercriminals have sought to extort cities and towns by inappropriately gaining access to municipal files.
Through an effort backed by $300,000 in funding managed by the MassCyberCenter at the MassTech Collaborative, the state is hoping to help each of the state’s 351 cities and towns bolster their cybersecurity readiness. Gov. Charlie Baker has also ramped up attention on cybersecurity matters and has been pressing lawmakers to approve the $1.15 billion IT bond bill he filed in April.
The borrowing bill (H 3687) would authorize $600 million in spending on information technology infrastructure that the administration said would “help fortify the Commonwealth’s defenses and against cyber attacks” and improve residents’ ability to interact digitally with government, including for health care, housing and other services. Among the projects to be funded is a new $135 million “Security Operations Center.”
In the fall, Baker said he would have liked to have seen the Legislature pass the bond bill before it recessed for the holidays, but he said it is imperative that it get done by July. At a hearing on that bill, Baker’s cybersecurity chief told lawmakers that the state’s cyberinfrastructure is constantly being pinged for weaknesses.
“Every day, we have attacks,” Secretary of Technology Services and Security Curtis Wood said in September. “I will say as of today on a daily basis we receive about 525 million probes a day from foreign soil.”
Baker’s bill has been redrafted and advanced by the State Administration and Regulatory Oversight Committee and the House Committee on Bonding, Capital Expenditures and State Assets. The latest version (H 4104) is pending before the House Ways and Means Committee.