Auditor: Denver doesn’t do enough to protect Social Security numbers, other personal information

“The data was located in a public area in a box file without a lid,” the report said.

An angel perches above a nativity scene on the City and County building steps. Protesters who have set up camp in front of the City and County Building to denounce Denver's urban camping ban are removed by police. Nov. 29, 2016. (Kevin J. Beaty/Denverite)camping ban; right to rest; homeless sweeps; city and county building; police; protest; kevinjbeaty; denver; denverite; colorado;

The Social Security numbers, bank account and routing numbers, full legal names and maiden names and other sensitive personal information of thousands of people are vulnerable to identity theft on the computers and in the file boxes of the city of Denver, an auditor’s report found.

Auditor Tim O’Brien said he did not have evidence that identity theft has occurred as a result of lax city practices, and the city is working on fixing problems identified in the audit. However, O’Brien said he cannot be sure all the vulnerable information was identified in the audit, and the city needs to tighten up security and standardize its practices to prevent identity theft from happening in the future.

Many of those who are vulnerable to identity theft are current and former city employees themselves and their dependents and beneficiaries, the report said. Others who are vulnerable include people who have applied for public benefits and assistance.

The auditor’s report found that personal information of city employees was stored on an unsecured network to which roughly 10,000 people had read-access.

“To confirm that these folders were unsecured, the audit team used Varonis DatAdvantage, a security software tool that analyzes access rights and relationships within groups related to network files,” the report said. “This analysis confirmed that the files were indeed unsecured.”

That hole was closed up when the auditor flagged it.

In another instance, paper files waiting for disposal were left out in the open.

“The data was located in a public area in a box file without a lid,” the report said. “Documents containing PII (personal identifiable information) — including driver’s license numbers, social security numbers, and full legal names — were stored in this unsecure manner.”

The auditor’s report said the network issue was quickly addressed and files secured. However, there needs to be more training, consistency and tracking to make sure information remains secure, the auditor said.

“Although the City was responsive to these revelations of unprotected sensitive PII, remediation does not provide assurance that all such potential instances have been identified,” the report said. “… More broadly, these instances underscore the need for improvements to the City’s controls surrounding the handling of PII.”

Technology Services is in the process of developing a policy to deal with sensitive information, according to the report. In addition to more consistent practices and training, the city needs to create an inventory of all the places that sensitive information exists and make sure the public understands how their data will be stored and protected when they’re asked to provide sensitive information.

The full report is here.

Erica Meltzer

Author: Erica Meltzer

Erica Meltzer covers government and politics. She's worked for newspapers in Colorado, Arizona and Illinois and once won a First Amendment Award by showing up in the wrong place at the wrong time. She served in the Peace Corps in Paraguay and can swear fluently in Guarani. She gets emotional about public libraries. Contact Erica Meltzer at 303-502-2802, emeltzer@denverite.com or @meltzere.