Cybersecurity Impacts All of Us

Our state stores a lot of sensitive data that needs to be protected. As mentioned in last month’s blog The State of Idaho’s Cybersecurity, my team uncovered and reported to the state a number of vulnerabilities on state-owned website. Then we found more, this time stemming from legislation that was passed without full consideration of the impact to privacy and security of sensitive financial records.

Lack of consideration for cybersecurity places our state government at risk of losing valuable taxpayer money.

Passed in 2010 by the Idaho Legislature and the Governor, House Bill 699 was intended to provide more transparency to education spending:

“Adds to existing law to provide for school districts and other education providers to create an Internet-based website with searchable expenditure and revenues.”

On the surface, this seems simple enough. Require school districts to publish their financial records to their existing websites. What could possibly go wrong? Quite a lot, it turns out.

Without clear, consistent guidance, each school district across Idaho was left to determine how best to publish their financial information–much of which is highly sensitive. They are not funded or staffed appropriately to evaluate the risks of what they implement, nor do I think they should have to be. Some school districts entered their monthly financial statements into spreadsheets, others scanned and published bank records, directly exposing sensitive account information and tax identification numbers. This information can be easily accessed and used by criminals to defraud our school districts and Idaho taxpayers.

In this sample, we have redacted the full name, address, and account number from a statement posted by an Idaho school district as a means of complying with HR 699. While the school district managed to remove the last four digits of the business account number, they did not notice the full account number in the footer of the payment slip.

My team also ran into a barrier while trying to notify the state of this: there is no central cybersecurity incident team within the Idaho State government that can coordinate across state and local agencies. While we found an email address listed in official state documentation for cybersecurity incident reporting, it was invalid and bounced our initial disclosure. We then reached out to state employees and officials. After several redirects and delays, we were able to get the needed attention to this issue. Idaho lacks a central cybersecurity response center with the authority and ability to quickly assess cybersecurity issues, whether financial disclosures, sensitive financial information or potential breaches of state-owned websites or databases.

In this example, we’ve redacted sensitive bank routing information that was posted online and is still easily accessible as of publishing this blog post. My team uncovered many other examples of sensitive financial records similar to this which could be used to steal money from our school districts in Idaho.

As your next Lieutenant Governor, I will gladly take over Lieutenant Governor Brad Little’s role as chair of the Idaho Cybersecurity Cabinet Task Force. Because of my expertise and background in the tech sector, I can ensure that cybersecurity’s best practices are implemented and security is considered early in the legislative process and addressed in implementation to avoid
what has happened with HR 699.

Idaho, we need to up our game on Cybersecurity, and it starts with a vote for me on November 6.