Vulnerabilities in software used by 200 Vermont municipalities left town employees’ Social Security Numbers and other information exposed.
Brett Johnson, owner of IT company simpleroute, discovered the flaws after two Vermont towns hired him to do some work for them back in 2017.
According to a report in which he wrote about the weaknesses, Johnson said that the vulnerabilities affected the New England Municipal Resource Center (NEMRC) software, which approximately 200 municipalities in Vermont use to store vital data including marriage licenses and tax payment information. The on-premise NEMRC software includes a Visual FoxPro 7 backed application that contained a flat file backend with a client-side application frontend.
The problem is that any users of NEMRC requires full access to the files on the server for the client-side frontend to work properly, thereby elevating the risk of unintended data access. In one file, for instance, Johnson found it was possible for someone to obtain a plaintext file of municipal workers’ Social Security Numbers. In another, the IT consultant found it was possible to discover employees’ banking accounts and routine numbers along with their personal data.
He also found that the NEMRC cloud backup service used a FTP transport mechanism that didn’t employ any encryption.
Johnson submitted his vulnerability findings to NEMRC and gave the company time to patch the flaws. By December 2018, the company had addressed all three security weaknesses. The IT consultant subsequently published his report the following month in January 2019.
From this experience, Johnson hopes to work with Vermont lawmakers to change state law with respect to data breach reporting. As he told VTDigger:
I take issue with where we are today. People need to know. If any of these municipalities ran a security audit of this network, they would find Social Security numbers. It’s a known pattern of numbers; it’s something a good audit would uncover. I don’t know why I am the first one finding this.
All users should update their NEMRC software to the latest version to make sure they’ve protected themselves against the vulnerabilities disclosed in Johnson’s report.
News of these flaws arrive several months after a data security incident at a pediatric hospital potentially exposed the Social Security Numbers and other personal information of more than 100,000 individuals including patients and employees.