Weaknesses in the information security of some California state offices were brought to light after the state auditor called for additional oversight and regular assessments, according to the report Gaps in Oversight Contribute to Weaknesses in the State’s Information Security.
In the midst of ongoing conversations around the security of customer data and less than six months before the California Consumer Privacy Act (CCPA) is scheduled to go into effect, the report comes at a time when governments are grappling with the ever-growing threat of cyber-attacks.
According to the report from state auditor Elaine Howle, the personal information of California residents may not be protected because of flaws in the government’s IT systems. “We surveyed 33 non-reporting entities from around the State and reviewed 10 of them in detail. Twenty-nine of the 33 obtained an information security assessment to evaluate their compliance with the specific security standards they selected, 24 learned that they were only partially compliant, and 21 identified high-risk deficiencies,” the report said.
Howle called for state agencies to do more in order to effectively safeguard the information that state government agencies collect, maintain and store. Additionally, Howle noted that “the non-reporting entities we surveyed may be unaware of additional information security weaknesses because many of them relied upon information security assessments that were limited in scope.”
Because California has usually been considered a trailblazer when it comes to information security and data privacy practices, Ben Sadeghipour, head of hacker operations at HackerOne, said the auditor’s report comes as a surprise. “When you are a large government agency like the State of California dealing with the data of almost 40 million residents, it is absolutely critical to have consistency across information security policies, especially among the numerous government entities who are tasked with handling, storing and safeguarding personal data,” said Sadeghipour.
“Cyber-criminals are constantly searching for ways to exploit vulnerabilities, especially in the government sector due to the notion that they are easy targets with a goldmine of data. Every government agency, regardless of budget, should at minimum implement a vulnerability disclosure policy (VDP) so that security researchers or ethical hackers can find those vulnerabilities before the bad guys do.”