A Vermont IT consulting shop that provides municipal management software used by every city and town in the state has been fined $30,000 for leaving workers’ sensitive information vulnerable to hackers.
In some ways, New England Municipal Resource Center’s (NEMRC), failure to adequately maintain and update its software and fix vulnerabilities in some 200 installations serves as a cautionary tale for IT service providers and software developers on the importance of cybersecurity vigilance.
Background: (via VTDigger)
The Fairfax, Vermont-based NEMRC develops software used by government localities to handle functions such as utility bills, tax bills, land records and animal licenses. NEMRC’s founder, Ernie Saunders, still runs the 23-year old outfit from his home.
Brett Johnson, a consultant with simpleroute, a Burlington, VT technology services provider, discovered glaring security flaws in the NEMRC software while doing work for two Vermont towns in 2017. Johnson found that hackers could easily steal social security numbers and banking information of municipal workers, some of whose data had been on city and town servers since 2006.
NEMRC uses Microsoft’s long discontinued Visual FoxPro. Support ran out for the version used by NEMRC in 2010. “You could make a strong case that Visual FoxPro shouldn’t be used on a government level,” Johnson previously said (via VTDigger). According to Johnson, anyone using the town system would have access to sensitive data. “In some towns, you might find the garage mechanic had access to NEMRC,” he said. “You add up all those workers, and all it takes is one bad actor at some of those towns.”
In a settlement with the Vermont Attorney General's office, NEMRC in May agreed to upgrade its security and training, develop an information security program and pay the penalty to resolve complaints that its data security violated the Vermont Consumer Protection Act. "Our first priority was to ensure that the software was secure in order to protect Vermont’s citizenry and the safe operation of its cities and towns,” said Attorney General T.J. Donovan in a statement. “Small businesses are integral to the economic vitality and culture of Vermont, and I want to encourage those businesses to ensure they are protecting Vermonters’ data privacy,” the AG said.
Not only did NEMRC fail to use appropriate encryption in storing sensitive information, the company’s cloud server lacked antivirus or endpoint security software, or appropriate logging of access attempts. “The Attorney General’s investigative team was able to decode Respondent’s algorithm in an hour of focused effort,” the AG’s office said.
So far, there’s no tangible evidence of security breaches in any of the NEMRC installations but that doesn’t necessarily mean none have occurred. “Due to the lack of logging and other basic threat-detection methods, it would not be possible to detect many types of security breaches that may have occurred,” the AG’s office said in settlement documents.
In his report last January, Johnson apparently found the security flaws in NEMRC’s software serious enough to suggest that Vermont legislators change breach reporting requirements to include potential vulnerabilities. The developer's software is reportedly less expensive than alternative platforms, an indication that budget concerns of small towns are a factor in system vulnerabilities going unrepaired. “A lot of municipalities look at ‘What does it cost?’ versus what do they need,” Johnson said. “We’ve left it to everyone to self-regulate, and the smaller municipalities aren’t doing their due diligence because they don’t have the funds or the ability to do so.”
A copy of the settlement can be read here.