Welcome! Login | Register
 

The Political “Purple Wave” of 2018—Sunday Political Brunch November 11, 2018—The Political “Purple Wave” of 2018 -- Sunday…

3 Seahawks Players That Deserve More Love At Midseason—3 Seahawks Players That Deserve More Love At…

These Are The 8 Benefits Of Tea (& Top 8 Teas) You Need To Know About—These Are The 8 Benefits Of Tea (&…

Lillard On Pace To Set Record You Definitely Didn’t See Coming—Lillard On Pace To Set Record You Definitely…

How Fat is Oregon?—How Fat is Oregon?

What Matters at the Election Finish Line—Sunday Political Brunch - November 4, 2018—What Matters at the Election Finish Line --…

The Roadmap To A Successful Seahawks Playoff Push—The Roadmap To A Successful Seahawks Playoff Push

Fit for Life: Where Are YOU Today?—Fit for Life: Where Are YOU Today?

Weiss: Midterm Elections are Here - Your Vote Sends a Message to Congress—Weiss: Midterm Elections are Here - Your Vote…

U.S. Adds 250K Jobs in October, Unemployment Stays at 3.7%—U.S. Adds 250K Jobs in October, Unemployment Stays…

 
 

Oregon’s Data Center Has Major Weaknesses, Says Report from Atkins

Wednesday, August 26, 2015

 

A new report from the Secretary of State Jeanne Atkins' Office claims that the data center operated by the Department of Administration continues to have major weaknesses.  The problems going back nine years continue to potentially expose the most confidential records and data of Oregonians.

The report warns that the "State agencies use the data center’s complex and extensive inventory of computers and networks to run hundreds of their programs. A breach in state systems could result in significant loss of sensitive data about Oregonians, such as tax or medical records and social security numbers that could be used in fraud or identity theft," said the statement.

"Oregon must do more to protect its data systems,” said Secretary of State Jeanne P. Atkins. "The risks identified in this audit make it clear the urgency we face."

Multiple Problems

The report released identifies multiple ares of critical security problems that have never been resolved, although auditors issued warnings dating back as far as 2006.  The problems include:

1) inadequate management of system configurations

2) insufficient monitoring of networks and users with special system access

3) inadequate incident tracking, and obsolete hardware and software. 

Collectively, the problems heighten the risk to computer programs and information at the data center.

The report is highly critical of the existing situation and the lack of attention to the ongoing problems.

Auditors concluded that the state has been unable to improve security because management abandoned initial data center security plans, did not assign security roles and responsibilities, or provide sufficient security staff.  As a result, efforts to improve security often ended in partially implemented solutions.  Even if alerts sounded, in many cases no one had the authority or responsibility to resolve them.

Data Systems

"Oregon must do more to protect its data systems,” said Secretary of State Jeanne P. Atkins. "The risks identified in this audit make it clear the urgency we face."

The report noted that organizational changes to improve security occurred in the last six months.  The state Chief Information Officer now answers directly to the Governor.  In addition, the 2015 Legislature formalized the state Chief Information Officer’s responsibility for information technology throughout all state agencies, including the data center. This also brought the data center under the direct responsibility of the Chief Information Officer.  These changes heightened attention on security and managers are now starting to build the security function into the data center as originally planned.

Auditors stated that the organizational changes were appropriate and necessary but also indicated that resolving the many longstanding security weaknesses will require significant resources, time and perseverance, along with the cooperation of other state agencies. Auditors noted that they will be starting an audit of security issues in agency computer programs, and also return to the data center in two years to report on its progress.

Auditors also recognized management for the unique agreement with the state of Montana to quickly restore operations after a serious disaster or disruption by copying its systems and records to Montana’s State Data Center.  This approach could assist data center recovery but auditors noted additional work remained to replicate some systems and fully test the plans.

The audit team consisted of William Garber, Neal Weatherspoon, Teresa Furnish and Amy Mettler.

 

Related Slideshow: Recent Data Breaches in Oregon

Here are some of the biggest data and security breaches in Oregon between 2015 and 2012, according to Privacy Rights Clearinghouse:

Prev Next

The Oregon Department of Administrative Services

March 20, 2015

The department's meta data, including time stamps the size of flies, was disclosed on Friday, March 20, by an unidentified hacker. 

The attack was detected by intrusion software, and investigated by the department, but no personally identifying information was compromise

Prev Next

LifeWise Health Plan of Oregon

March, 2015

A cyber attack on LifeWise and it's parent company Premera Blue Cross exposed the personal identification of 250,000 Oregonians to unauthorized access.

Prev Next

Oregon Employment Department

Date: Oct. 10, 2014

Location: Portland

Records Compromised: 820,000

A database containing personal information from people searching for jobs through WorkSource Oregon was breached. 

Prev Next

Made in Oregon

Date: Dec. 3, 2013

Location: Portland

Records Compromised: 1,700

The company’s website, with credit card information, may have been accessed by unauthorized parties. 

Prev Next

Samaritan Family Medicine Resident Clinic

Date: Nov. 4, 2013

Location: Corvallis

Records Compromised: 1,222

Un-shredded medical documents were found in a dumpster near the offices. Prescriptions, diagnoses and sensitive medical information were on the documents. 

Prev Next

Bonneville Power Administration

Date: Aug. 27, 2013

Location: Portland

Records Compromised: 3,100

BPA employee names, Social Security numbers, and dates of birth were distributed by a cyber attack.

Prev Next

Oregon Health & Science University

Date: July 29, 2013

Location: Portland

Records Compromised: 3,000

OHSU patient information was placed on Google’s cloud computing system. OHSU did not have a contract with Google, so the information could have been used for promotional purposes due to the storage error.  

Prev Next

Oregon State University

Date: July 29, 2012

Location: Oregon State University

Records Compromised: 21,000

During a software upgrade, an unnamed check printing vender copied data that included student and employee names, IDs, check numbers, check amounts, and possibly some Social Security numbers. 

Prev Next

Eugene School District 4J

Date: June 11, 2012

Location: Eugene

Records Compromised: 16,000

An unauthorized source accessed confidential files containing student personal information, such as Social Security numbers, dates of birth, and phone numbers. 

Prev Next

Office of Dr. Rex Smith

Date: April 20, 2012

Location: Eugene

Records Compromised: 20,915

During a burglary, a computer with patient names, Social Security numbers, and dates of birth was stolen. 

Prev Next

Key Bank

Date: May 9, 2012

Location: Springfield

Records Compromised: 2,937

A bank manager gathered and transferred customer names, Social Security numbers, and dates of birth.

Prev Next

Applegate Valley Family Medicine

Date: April 2, 2012

Location: Grants Pass

Records Compromised: 2,300

Patient information was compromised when a laptop was stolen. 

 
 

Related Articles

 

Enjoy this post? Share it with others.

 

X

Stay Connected — Free
Daily Email