The Social Security numbers, bank account and routing numbers, full legal names and maiden names and other sensitive personal information of thousands of people are vulnerable to identity theft on the computers and in the file boxes of the city of Denver, an auditor’s report found.
Auditor Tim O’Brien said he did not have evidence that identity theft has occurred as a result of lax city practices, and the city is working on fixing problems identified in the audit. However, O’Brien said he cannot be sure all the vulnerable information was identified in the audit, and the city needs to tighten up security and standardize its practices to prevent identity theft from happening in the future.
Many of those who are vulnerable to identity theft are current and former city employees themselves and their dependents and beneficiaries, the report said. Others who are vulnerable include people who have applied for public benefits and assistance.
The auditor’s report found that personal information of city employees was stored on an unsecured network to which roughly 10,000 people had read-access.
“To confirm that these folders were unsecured, the audit team used Varonis DatAdvantage, a security software tool that analyzes access rights and relationships within groups related to network files,” the report said. “This analysis confirmed that the files were indeed unsecured.”
That hole was closed up when the auditor flagged it.
In another instance, paper files waiting for disposal were left out in the open.
“The data was located in a public area in a box file without a lid,” the report said. “Documents containing PII (personal identifiable information) — including driver’s license numbers, social security numbers, and full legal names — were stored in this unsecure manner.”
The auditor’s report said the network issue was quickly addressed and files secured. However, there needs to be more training, consistency and tracking to make sure information remains secure, the auditor said.
“Although the City was responsive to these revelations of unprotected sensitive PII, remediation does not provide assurance that all such potential instances have been identified,” the report said. “… More broadly, these instances underscore the need for improvements to the City’s controls surrounding the handling of PII.”
Technology Services is in the process of developing a policy to deal with sensitive information, according to the report. In addition to more consistent practices and training, the city needs to create an inventory of all the places that sensitive information exists and make sure the public understands how their data will be stored and protected when they’re asked to provide sensitive information.