Audit reveals abysmal security in state eLicensing system
State auditors harshly criticized a website used by licensed professionals across the state to apply for and maintain for credentials, saying accounts were easily hacked because of weak password requirements.
The Auditors of Public Accounts faulted the eLicensing system, which controls more than 600 different professional licenses, permits and registrations, for multiple security failures including one not disclosed in the audit because of its “sensitive nature.”
The Department of Administrative Services manages the eLicensing system.
The audit revealed that in a sample of 161 different users, there were only 17 different passwords and 103 of them used the same password. The auditors were able to “hack” into 155 of the 161 different users just by using a Google search.
According to the auditor’s report, the poor password controls could enable users to guess the passwords of other users and “it is likely that some would be successful” potentially allowing access to personal information.
Several issues were cited in regard to login and password information: there were no length or complexity requirements for passwords, the passwords never expire and people could use their login name as their password.
It also showed that none of the five state agencies that use the system had any written policies or procedures for “related to creating, modifying, or deleting user accounts.” This was cited as another potential security issue that could allow access to personal information. Ten active accounts were found for users who had been terminated from related employment for several years. There were also 190 active accounts that had never been used, according to the report.
The eLicense system, managed by DAS, handles licenses across a number of state agencies such as the Department of Health, Department of Consumer Protection and the Department of Agriculture.
The state of Connecticut has experienced unforeseen issues related to other online systems. The Department of Motor Vehicles’ rollout of a new online registration system in 2015 created long wait lines, false vehicle registration expirations and missing vehicle registrations from town property tax lists. The DMV is now also expanding its role in voter registration due to a federal mandate.
Groups as diverse as the Obama administration to Libertarian think-tanks such as the Institute for Justice have urged state lawmakers to pull back on professional licensing requirements, claiming they act as barriers to employment access. The White House, in a press release, stated “Research shows that licensing can not only reduce total employment in licensed professions, but also that unlicensed workers earn roughly 7 percent lower wages than licensed workers with similar levels of education, training, and experience.”
DAS agreed with the findings of the auditor’s and said they would try to update security issues related to the licensing.