SALT LAKE CITY — A newly released state audit found security weaknesses in the Utah Driver License Division database, including former employees having access to the system.
Although finished last December, State Auditor John Dougall withheld the report to give the division, overseen by the Utah Department of Public Safety, the time to correct any issues identified in the audit. It is the second part of an audit made public in January that showed the division had inappropriately shared Utahns’ personal identifying information with other three state agencies.
“The security of sensitive data held in state databases should be a high priority,” Dougall said. “We appreciate the Department of Public Safety’s efforts to update their security practices to comply with agency requirements as a result of this audit.”
The latest audit found:
- Password requirements for database administrators do not conform to Department of Technology Services policy.
- Individuals retained database user accounts after being terminated from the public safety department.
- Database user accounts were not periodically reviewed for appropriateness.
- Software changes were not appropriately tested before being implemented in the database.
The audit found that the driver license division did not enforce state policy requiring passwords have at least eight characters, including three different character types. It also did not ensure passwords were changed every 90 days.
A review of 108 terminated public safety employee showed 8% had driver’s license database user accounts after they no longer worked for the agency, according to the audit. Auditors noted that increases the risk of confidential information being accessed inappropriately.
The audit also revealed that the driver license division does not do regular reviews of database user accounts or system administrators at the database, server or network levels. Doing periodic reviews would allow the division to identify accounts belonging to terminated workers as well as accounts with permissions no longer afforded users.
In response to the audit, the Utah Department of Public Safety has taken steps to correct the problems. It is committed to ensuring quality security and access controls for all of its databases, according to Kristy Rigby, deputy public safety commissioner.