Kansas doesn't do enough to secure computer systems used by state government, making confidential information vulnerable to hackers, a legislative audit said Thursday.
Auditors said their review of nine state agencies showed significant security weaknesses. Their report, presented to legislators, said none of the agencies had done a comprehensive assessment of computer security risks, and auditors cracked a significant number of employee passwords at six of them.
The agencies were reviewed because of the amount of confidential information in their electronic files, including Social Security numbers, data from tax returns and data identifying individuals. The report also said the state provides only limited oversight of agencies' security controls.
"Some agencies are responsible for protecting millions of confidential records, which makes them a potentially enticing target for hackers," the audit said.
The public report did not specify problems at individual agencies, but the committee that oversees the Legislative Division of Post Audit held a closed-door review of confidential reports on each agency.
Committee member Terry Bruce, the incoming Senate majority leader, said the report changed some officials' attitudes toward security issues.
"There were some who, they just never took it seriously," said Bruce, of Hutchinson. "They're now correcting that."
The agencies reviewed were the departments of Commerce, Corrections, Education, Labor and Revenue, along with the state treasurer's office, Juvenile Justice Authority, Board of Indigents' Defense Services and Department of Wildlife, Parks and Tourism.
In a response to the audit, John Byers, the executive branch's chief computer security official, said decentralization of state computer systems has contributed to security problems and his office is working to address such issues. Gov. Sam Brownback's administration now has one office overseeing management of all executive branch computer systems.