A massive computer network used by Maryland employees to store tax records and other sensitive data lacked password protections and other safeguards, making the data easily accessible for a wide range of workers, an audit of the state's Information Technology Division found. The report by Maryland's Office of Legislative Audits said at least 84 employees had unnecessary access to critical programs, 52 separate accounts had passwords without expiration dates and requests for password changes were not vetted for legitimacy -- part of a series of findings that "mainframe security software access and password controls were not adequate" in the state's Information Technology Division. "It makes it a little risky," said legislative auditor Bruce Myers. "Too many employees could see personal data or tax information they don't need to."
The report didn't note any breaches of confidential information. However, investigators were concerned with a lack of safeguards for the data center, saying the network was vulnerable to abuse from third parties -- particularly contractors and financial institutions not prevented from seeing the data. Because of the lack of scrutiny, auditors also said changes could be made to records without being detected.
The Information Technology Division, within the Maryland Comptroller's Office, operates an internal network that provides Internet, e-mail and file sharing to thousands of state employees.
The Information Technology Division serves the state's Department of Health and Mental Hygiene, Department of Labor, Licensing and Regulation, Department of Assessments and Taxation, and the State Retirement and Pension System. The division had a $29.4 million budget last fiscal year.
Top officials for Comptroller Peter Franchot, the state's chief accountant, said they have implemented changes since reviewing the audit.
"ITD is working with the data owners to ensure that access to critical production programs is restricted to only those individuals requiring such access," said Deputy Comptroller Linda Tanton. "All access to critical production programs will be logged."
Officials also say they will ensure all passwords have expiration dates and that personal identification numbers are used to verify employees on the server.