Questions about Utah government data security after DMV theft

Posted at 9:00 PM, May 30, 2013
and last updated 2013-05-30 23:43:55-04

SALT LAKE CITY -- Government officials insist their databases are secure after a data theft at Utah's Division of Motor Vehicles was uncovered by Salt Lake City fire investigators investigating a car fire.

In a statement Thursday, Utah State Tax Commission Executive Director Barry Conover insisted there was no breach into the DMV's system, but rather "access by individual employee."

"The Tax Commission, including the DMV, has a strict no tolerance policy on sharing of confidential and protected information. This is why we took swift corrective action and terminated the employee. We are confident that this violation was committed by one person over a very limited time period," he wrote.

Governor Gary Herbert was made aware of the data theft after FOX 13 News first reported it on Wednesday night. Officials in his office said Thursday they were confident the DMV's system was not breached.

Salt Lake City Fire Department investigators stumbled on the data theft while looking into a car fire, which stemmed from a road rage incident last year. In a search warrant unsealed in Third District Court, investigators wrote that the employee had confessed to looking up people's personal information and giving it to others -- knowing it would be used to commit crimes.

Salt Lake City Fire Marshal Martha Ellis said the woman had admitted to accessing the personal information over the course of 14 years that she had worked for the DMV. The employee was fired in March.

The DMV acknowledged to FOX 13 on Wednesday its system cannot exactly track who looks up what on their computers -- so the agency has no way of knowing what crimes were committed with the personal information or how widespread it is.

"It's a concern that we've had for a while," said Rep. Paul Ray, R-Clearfield.

Ray co-sponsored legislation earlier this year to tighten up computer security in state government after hackers stole more than 780,000 people's personal information from a Utah Department of Health Database.

In an interview with FOX 13 on Thursday, Ray said he has long held concerns about employees being "planted" by criminal enterprises to mine state databases for personal information. He was surprised the DMV didn't have software that could track employees' actions.

"That's something we're going to have to address because even the most simple technologies now you know who logs in, when they log in, what programs they've gotten into and what changes, if any, they've made," he said. "I'm just surprised in a state database that hasn't happened already."

Pete Ashdown, the president of XMission, said there is no security that is 100-percent, but there are steps that can be taken to audit employees' actions.

"You do have to have trust of the people that are working there, but you also need to audit what they are doing," he said Thursday.

Ashdown said government agencies are slow to update their data security, but it will become an increasing priority as more information is put on computers and online.

"Keep in mind, they've been doing it for about 200 years and now they're moving to the Internet and putting things on computers -- they've had about 20 years to do that," Ashdown said. "I think it's still quite new for a lot of governments and some of these problems that they're facing are new problems."

The DMV has said it plans to install tighter security software as soon as October.  Ray said he may address the DMV data issues at the June 19 interim session of the Utah State Legislature.

"For me, we're not moving fast enough," he said. "But given the situation, we're moving as fast as we can. We're kind of in a Catch-22."