Featured Stories

Other Pamplin Media Group sites

Employment Dept. computers still vulnerable a year after breach


SALEM — Computer systems at the Oregon Employment Department remain vulnerable more than a year after a major data breach at the agency, according to a state audit released this week.

State employees have taken steps to tighten the Employment Department’s cyber security, but auditors found that problems remain. These include a lack of control and tracking of which state employees can access data, and ongoing security flaws at the state data center where the Employment Department systems are housed.

The data breach at the Employment Department in October 2014 affected more than 800,000 people. An anonymous tip alerted the state that hackers had accessed information including names, addresses and social security numbers of people who were looking for work. People who received unemployment insurance also received notices they might be affected.

Many of the problems cited in the audit stem from the Employment Department’s use of mainframe computer programs from the 1990s, housed at the Department of Administrative Services’ state data center. The agency started the process to replace the systems, which it uses to collect employment taxes and disburse benefits, but it will take a decade to complete, said Legislative and Public Affairs Manager Andrea Fogue. By then, the systems will be at least 30 years old. As a result, employees have to do a lot of work manually.

“It is a long, ongoing process so it’s happening as quickly as it can,” Fogue said.

State employees also lack a complete understanding of the systems’ security functions, because of poor documentation over the years, auditors wrote. Auditors found the Employment Department and Department of Administrative Services have not done enough to protect confidential information from inside the organization, by restricting access to certain high-level employees and monitoring their actions.

Old computer systems have prevented the Employment Department from fixing security flaws on its website that put Oregonians at risk of what is known as a “man in the middle” attack. As of Wednesday morning, the Employment Department portal where people can file claims for unemployment insurance was still using the encryption protocol TLS 1.0 that has been known to be vulnerable for years.

Fogue said earlier this year that IT employees had taken additional steps to encrypt the sensitive information entered on the website, so even if an attacker intercepted the information, “it would take years” to decipher. The EO Media Group/Pamplin Media Group Capital Bureau first reported on the security weaknesses on websites operated by the Employment Department and other state agencies in April.

In a written response to the audit, Employment Department Director Lisa Nisenfeld wrote that the agency has already started to implement some of the auditors’ recommendations. However, Nisenfeld wrote that some of the suggestions — such as strictly limiting which employees can access certain data — cannot be implemented until a new system is in place.

Auditors wrote that computer systems should employ “a complex and multi-layered” security system to defend against hackers, but stopped short of saying whether the Employment Department systems met that goal. They did, however, refer to the findings of an audit of the state data center earlier this year which also apply to the Employment Department systems at the facility. That audit found that state data center employees never implemented many of the security strategies planned when the facility opened in 2006, and they ignored repeated findings of security shortfalls in half a dozen state audits and a private consultant’s report.

The computer systems also handle a lot of money: in 2014, the state collected $1 billion in employment taxes and paid out $625 million in unemployment insurance benefits, according to auditors.

The Employment Department had also been skipping an important step that could detect unemployment tax return errors, according to auditors. That crucial report could help the state detect when employers over or under report taxable wages. Auditors found that roughly 4,400 employers might have underpaid their taxes by as much as $2.9 million in 2014, or 0.4 percent of total taxes collected. At the same time, other employers overpaid their taxes by nearly $850,000.

Hillary Borrud is a reporter with the Pamplin Media Group/EO Media Group Capital Bureau in Salem.