Social Security numbers were showing up in 311 databases, Denver auditor finds

This is the second time in a year that Denver Auditor Timothy O’Brien found that the city didn’t take adequate steps to protect sensitive information.

staff photo

Barking dogs, graffiti and questions about trash and recycling make up the bulk of calls to Denver’s 311 system, so it was a surprise to city auditors when they found Social Security numbers and other sensitive, personally identifiable information visible in databases available to other city employees.

This is the second time in a year that Denver Auditor Timothy O’Brien found that the city didn’t take adequate steps to protect personally identifiable information that could be used for identity theft.

The auditor expects this to be an ongoing problem that requires constant vigilance as the city increasingly uses large databases and outsources this work to third-party vendors.

In the first case, which was discovered in a December 2016 audit, personal information belonging to city employees and their dependents and beneficiaries, as well as information of people who received public benefits, was stored on insecure networks to which roughly 10,000 people had read-access. The auditor also found paper files with sensitive information stored in open boxes.

The city took quick steps to close these vulnerabilities, and there is no indication that identity theft occurred.

The auditor hired a data analytics specialist to do something called “continuous auditing” of databases as a way to quickly find vulnerabilities and close loopholes.

“One of my goals in being elected Denver auditor was to examine the city’s cyber-security framework,” O’Brien said in an email. “The city and county of Denver, like most big organizations, is increasingly reliant on large information systems and databases. This is mostly a good thing, as accurate and comprehensive information leads to better decision-making and increased efficiency. But there is the danger that sensitive information will be misused or stolen.

“In particular, Denver constituents deserve to have their personally identifiable information (PII), like Social Security numbers, drivers’ license numbers, birthdates, etc., protected from disclosure.”

In the case of the 311 data, it was surprising to find the Social Security numbers. Information of that nature isn’t collected in the vast majority of 311 calls, and when Salesforce set up the database in 2014, it was made widely accessible to a lot of city employees so they could respond efficiently to constituent complaints. However, the 311 database also includes people who had questions about public benefits and city employees with questions about payroll. In some of those cases, Social Security numbers and birth dates were collected or people entered that information in online queries without being asked for it.

There weren’t sufficient procedures in place to shield that sensitive data within the 311 database, the audit found. There were 25 employees who had access to the information because of how their security permissions were configured. Those permissions were changed immediately once the problem was found.

“Because the 311 system is the city’s main vehicle for collecting complaints and requests, many city employees have access to it. Because most of the employees who could view the 311 PII had no need to see it, we alerted the mayor and Tech Services to refine the ‘permissions’ granted to these employees and to restrict access to this information to those who needed to see it,” O’Brien wrote. “Once we brought it to their attention, Tech Services immediately restricted access to the sensitive information. Triggering that sort of rapid remediation is a chief benefit of ‘continuous auditing.'”

At the auditor’s recommendation, Technology Services will also create a report in Salesforce so that agencies get a periodic review of user profile permissions and settings. Tech Services also will work with Salesforce to make sure it’s using the security procedures that are required under its contract.

Speaking for Technology Services, Jenny Schiavone, director of citywide marketing, said the problem was not with Salesforce technology, but in some of the configurations.

“Salesforce security practices were verified and confirmed to meet city standards during the RFP process, and the city will continue to review and verify security compliance throughout the life of the contract,” she said in an email. “A penetration test and vulnerability scan were performed in the spring of 2017. Additionally, we’ve requested a Systems and Organization Controls (SOC 2) report from Salesforce to ensure the security, integrity, and confidentiality of our CRM.”

Technology Services also will update the language on the Denver 311 webpage, as well as the main DenverGov and PocketGov webpages, to discourage the submission of sensitive personal data.

The department has until March 31, 2018, to adopt the audit’s full recommendations, but manual reviews of Salesforce’s security compliance are already underway.

The city’s information governance committee is also in the process of creating a comprehensive data privacy policy.

You can read the full audit here.

Update: This article has been updated to include clarifications about the technological issues that led to the data being visible and the steps being taken to correct them. It has also been corrected to say that 25 city employees had unnecessary access to sensitive information.