DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NV: State agency audit withheld to protect sensitive data after serious security lapses found

Posted on October 19, 2016 by Dissent

Sandra Chereb reports:

Auditors delayed release of a report detailing security vulnerabilities in state databases to protect the information of tens of thousands of current and former state employees and their beneficiaries, a legislative committee was told Tuesday.

Douglas Peterson, information systems audit supervisor, told the Legislative Audit Subcommittee it was the first time he can recall in 20 years with the state that a decision was made to withhold an audit until problems are fixed.

Read more on the Las Vegas Review-Journal.

How bad was it, you wonder? From the key findings of the audit:

Confidential information about state employees was stored unencrypted in the Division’s databases, increasing the risk of unauthorized access of this information. One database contained Social Security numbers of over 145,000 current and former state employees and their beneficiaries. State security standards require that confidential personal data be encrypted whenever possible. However, this confidential personal information was not encrypted in the Division’s databases. Enterprise Information Technology Services (EITS) support staff, who manage the Division’s databases, indicated they were not aware that there was a requirement to encrypt this information.

Weaknesses exist in managing network users. We identified 42 computer accounts of former staff among the 179 Division computer user accounts whose network credentials (login identification and passwords) had not been disabled. Thirty-one of these former employees had been gone for over one year. One employee had been gone almost 10 years. Untimely disabling of former employees’ network credentials increases the risk that someone could gain unauthorized access to the state’s information and systems.

Five of the Division’s 77 staff had not completed their annual security awareness training. State security standards require that state employees each receive annual information technology security awareness refresher training to ensure they stay aware of current security threats as well as understanding their responsibility to keep state information confidential.

Desktop computers lacked adequate virus protection. Seven of the Division’s 85 computers did not have adequate virus protection installed. State security standards require that virus protection software be updated regularly to retain protection from evolving online threats. Without current virus protection installed, computers could become infected with malicious software.

Seventeen of the Division’s 85 computers were not receiving Windows operating system updates on a regular basis. Operating system updates are released monthly by Microsoft. State security standards require updates be installed timely to fix security vulnerabilities. Computers without current software security patches installed represent weaknesses in a computer network that can be exploited by a malicious entity to gain unauthorized access to state computer resources and sensitive data stored on them.

Some servers had vulnerabilities. For example, one of the Division’s four servers did not have virus protection software installed. Without current virus protection software installed, servers could become infected with malicious software. In addition, three of the four servers had critical or high-level vulnerabilities due to missing Windows operating system updates. Without installation of these software patches, computers remain vulnerable to online threats.

The Division’s office copiers were not configured to securely process confidential information. Four of the Division’s six photocopiers did not have the Immediate Image Overwrite function enabled as required by state security standards. This function configures the device to erase the processed job immediately after the copy, scan, or fax job is completed, thereby reducing the likelihood of any confidential information being stored on the copier’s hard drive.

Related posts:

  • Audits of New York schools and the State Education Department reveal ongoing significant concerns
Category: Commentaries and AnalysesGovernment SectorOf NoteU.S.

Post navigation

← Bank informs RBI of security breach: Axis suffers cyber attack, hires EY to probe damage
13 countries join global fight against ransomware: Europol →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.