Estimated read time: 2-3 minutes
This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
SALT LAKE CITY — A newly released state audit found security weaknesses in the Utah Driver License Division database, including former employees having access to the system.
Although finished last December, the State Auditor John Dougall withheld the report to give the division, overseen by the Utah Department of Public Safety, the time to correct any issues identified in the audit. It is the second part of an audit made public in January that showed the driver license division had inappropriately shared Utahns’ personal identifying information with other three state agencies.
“The security of sensitive data held in state databases should be a high priority,” Dougall said. “We appreciate the Department of Public Safety’s efforts to update their security practices to comply with agency requirements as a result of this audit.”
The latest audit found:
- Password requirements for database administrators do not conform to Department of Technology Services policy.
- Individuals retained database user accounts after being terminated from the public safety department.
- Database user accounts were not periodically reviewed for appropriateness.
- Software changes were not appropriately tested before being implemented in the database.
Related:
Driver license division improperly shared Utahns' personal data, audit says
The Utah Driver License Division shared Utahns' personal identifying information with three state agencies in violation of state law, a new audit shows.The audit found that the driver license division did not enforce state policy requiring passwords have at least eight characters, including three different character types. It also did not ensure passwords were changed every 90 days.
A review of 108 terminated public safety employee showed 8% had driver’s license database user accounts after they no longer worked for the agency, according to the audit. Auditors noted that increases the risk of confidential information being accessed inappropriately.
The audit also revealed that the driver license division does not do regular reviews of database user accounts or system administrators at the database, server or network levels. Doing periodic reviews would allow the division to identify accounts belonging to terminated workers as well as accounts with permissions no longer afforded users.
In response to the audit, the Utah Department of Public Safety has taken steps to correct the problems. It is committed to ensuring quality security and access controls for all of its databases, according to Kristy Rigby, deputy public safety commissioner.
