Audit blasted state cybersecurity
A February 2016 audit of the Maryland Longitudinal Data Center, operating under MSDE, revealed numerous holes in cybersecurity protections of personally identifiable information.
The Center was established in 2010, but didn’t receive funding until 2014. In the interim, activity relating to the Center, according to the 2016 legislative audit, was under the auspices of the Maryland State Department of Education.
The Center is tasked with oversight and maintenance of a statewide data system that contains individual-level student and workforce data from all levels of education and the state’s workforce, according to the audit. The Center collected data for MSDE, the Maryland Higher Education Commission, the Department of Labor, Licensing and Regulation, and the University of Maryland’s School of Social Work and College of Education.
As of April 15, 2015, the Center had collected data for calendar years 2008 through 2013, and was continuing to collect data for subsequent periods, according to the report.
Until 2015, the Center’s 14 servers were hosted by the Department of Public Safety and Correctional Services . The information collected, starting in 2008, included personally identifiable information such as names, dates of birth, and social security numbers. The audit found that the servers “were not adequately secured.”
From the audit:
“We identified two clear text files containing sensitive PII that were improperly stored on the Center’s server used to host two databases. Encrypted versions of these two files had been received from DLLR, decrypted, and processed by the Center. However, after processing, these decrypted files were stored on the Center’s server rather than being immediately deleted in accordance with the Center’s procedures. According to the Center’s records, these two files contained 882,598 unique records and, as of April 15, 2015, had been improperly retained on this server for 42 and 2 weeks.
“Social security numbers (SSNs) included with data received from MHEC were retained in one of the aforementioned databases and were not encrypted. Although the database software was capable of encrypting data that contained PII, this feature was not enabled for the aforementioned SSNs. Per our request, Center staff determined that, as of April 2015, this database contained 2,237,976 records with unique individual names and SSNs in clear text.”
The audit also found that the Center “did not employ any substantial mitigating controls (such as the use of data loss prevention software) to protect this unencrypted sensitive PII [personally identifiable information.]
“This sensitive PII, which is commonly sought by criminals for use in identity theft, should be protected by appropriate information system security controls.”
The State of Maryland Information Security Policy specifies that agencies must protect confidential data using encryption technologies and/or other substantial mitigating controls.
MSDE agreed with the recommendations and took action to fix the issues, including moving the servers to the MSDE data center in 2015. MSDE has also implemented more oversight, including updating its software and better management of sensitive material, according to the audit.
