Audit dings Utah’s Driver License Division for weak IT security

(Al Hartmann | Tribune file photo) Utah Gov. Gary Herbert receives his temporary driver license at the Fairpark Driver License office in Salt Lake City, July 11, 2017. A new audit criticized the division for some lax security practices, such as not requiring strong passwords and allowing former employees to retain access to the license database.

Utah’s driver license database — which contains millions of names, birth dates, fingerprints and Social Security numbers — fell short of security and password standards, according to a report released Tuesday by the Utah state auditor.

Tuesday’s report is the second in a two-part audit of Utah’s Driver License Division, announced in January. The initial report found that personal driver data had been inappropriately shared with other agencies. The latest findings — delayed to allow corrective action before public release — suggests the division was susceptible to a data breach by failing to deactivate the user accounts of some former employees and failing to enforce password rules like character types, character minimums, quarterly password replacement and user lockouts following unsuccessful password attempts.

“The security of sensitive data held in state databases should be a high priority,” state Auditor John Dougall said in a prepared statement. “We appreciate the Department of Public Safety’s efforts to update their security practices to comply with agency requirements as a result of this audit.”

According to the audit, user accounts for 108 former Department of Public Safety employees were reviewed, with 8% retaining their ability to access the driver license database. The database and Driver License Division servers were also found to have no, or inconsistent, enforcement of password requirements like an eight-character minimum, three character types — i.e. uppercase and lowercase, numerals and special characters — 90-day renewal of user passwords and the disabling of user accounts after three unsuccessful password attempts.

In its response to the audit, included in the report, the Driver License Division said its password policies would be enforced and that the accounts of former employees will be deactivated.

“Driver License does have a termination policy that outlines that the Driver License Help Desk should be notified when an employee is terminated,” the division said in its response. “The termination policy will be followed to comply with the audit finding.”

The division also agreed to implement a biannual review of user accounts to screen for unauthorized users, something that had not been occurring previously, according to the audit.

In a letter to Dougall earlier this month, and included in the public audit report, Deputy Commissioner of Public Safety Kristy Rigby expressed appreciation for the audit team’s efforts to identify issues that needed to be addressed.

“The Department is committed to ensuring quality security and access controls for any database administered by the agency or its divisions,” she wrote.

Return to Story