A California state government office under the military department didn’t change the default passwords that came with some of its IT systems, creating a “significant threat of an attacker gaining unauthorized access to its network.”
Another office wasn’t running security updates on some of its devices.
A third agency that was notified of security deficiencies in 2013 still hadn’t fixed them in 2019. When the California State Auditor asked about the deficiencies, the agency offered PowerPoint presentations with status updates.
“These presentations do not consistently provide key details such as who is responsible for tracking each deficiency, the strategy for resolving the deficiency, and the target date for completion,” the auditor wrote in a report published Tuesday.
The report uncovered “high-risk” deficiencies in state information technology at 21 state departments, agencies or other government offices. The report doesn’t identify them. The auditor looked at agencies, departments, boards, commissions and other offices that don’t fall under the direct authority of the Governor’s Office, including state executive offices led by independently elected officials and offices under the judicial branch.
Many of the organizations reviewed lack external oversight and don’t regularly update their security standards, according to the report, “placing some of the state’s sensitive data at risk of unauthorized use, disclosure, or disruption.”
The report suggests the Legislature pass a law to increase oversight, raising the specter of a large-scale data breach in which reams of personal data could be exposed to identity theft.
“Given the amount of data the state maintains, the financial cost of a data breach and the damage to its credibility and reputation could be significant,” the report states.
Breaches involving more than 50 million records can cost an average of $350 million, according to the report. In 2017, data breaches averaged $3.86 million, according the report, citing a study by IBM Security and the Ponemon Institute.
The report found similar shortcomings in 2013 for offices that fall directly under the governor. The state’s Technology Department oversees those offices’ online security, which has improved since the audit six years ago, according to the audit report.