[A]n outdated software that is used by about 200 Vermont municipalities and the Vermont Tax Department has long contained flaws that exposed sensitive information including Social Security numbers, according to an IT consultant and the software companyโs founder.
New England Municipal Resource Center, or NEMRC, is software that cities and towns use for managing functions such as utility bills, tax bills, land records, and dog licenses. NEMRC was started by Ernie Saunders at his home in Fairfax in 1984, and Saunders still runs the company from his home, now with 23 employees around the state.
South Burlington IT consultant Brett Johnson said he discovered security flaws so serious that he is now talking to lawmakers about changing reporting requirements to include potential data breaches, not just data breaches that have already occurred. Johnson wrote a report on the matter in January.
Johnson, who owns an IT company called simpleroute, became aware of the NEMRC flaws after he was hired to do IT work for two Vermont towns in 2017. He said he found it would be easy for a hacker to gain access to municipal workersโ Social Security numbers and to their banking and routing information. Some of that information had been available on city and town websites since 2006, he said.
The network uses a discontinued Microsoft program called Visual FoxPro that was created in 1984.ย Microsoft stopped providing support for the version used by NEMRC in 2010, Johnson said.
โYou could make a strong case that Visual FoxPro shouldnโt be used on a government level,โ Johnson said.
He said information was stored in such a way that in some places, anyone who uses the town system would have access to it. In others, a knowledgeable outsider could easily gain access, he said.
โIn some towns, you might find the garage mechanic had access to NEMRC,โ Johnson said. โYou add up all those workers, and all it takes is one bad actor at some of those towns.โ
No towns have reported any information breaches as a result of the NEMRC system, according to the Vermont League of Cities and Towns.
The state of Vermont Tax Department uses NEMRC to compile grand list information, said John Quinn, the secretary of the stateโs Agency of Digital Services, who only learned of the security problems with NEMRC when contacted by a reporter.
โOur security team has already started looking into it and making sure the security vulnerabilities have been filled,โ said Quinn. He added that his office had already planned to replace the system, and has an RFP going out this week for that work.
โItโs an outdated system and an outdated technology,โ Quinn said of the NEMRC system.
Vermont Assistant Attorney General Ryan Kriger said Tuesday that his office was aware of the case and monitoring it.
Saunders, NEMRCโs owner, acknowledged that there had been security problems but said heโs now addressed them.
โI wouldnโt say itโs not true,โ he said of Johnsonโs report. โI agree that it was vulnerable.โ He added that he welcomed Johnsonโs scrutiny and report because it helped him patch some flaws. Johnson contacted him about the problems about a year ago, he said.
โI immediately sent that over to my head programmer and said, โScott, letโs look into these,โโ Saunders said. โAnd thatโs what we did. There are always vulnerabilities in any system, and they did a good job doing a deep dig on looking for vulnerabilities.โ
NEMRCโs software is much less expensive than the alternatives available on the national market, said Johnson, Saunders and Wendy Wilton, who was treasurer for the city of Rutland for 10 years. She said Saunders was very responsive to any problems that were revealed.
โThe fact is, itโs a real bargain, and I always felt like we had a good, safe system,โ said Wilton, who said she worked closely with Saunders. โNobody ever hacked it.โ She noted that responding to security problems that arise โis part of the processโ with any software. And the softwareโs age is what makes it so affordable, she said.
Updating the software from Microsoft is unnecessary, she said, because it can be done in-house.
โYou can write the code,โ Wilton said. โThatโs what Ernie and his team do. Even
if Microsoft might not support FoxPro, you can still write in it, and make encryptions happen, and adjust the software; they did this while I was there.โ
Johnson said he wrote his report on NEMRC because thereโs an understanding within the IT community that itโs important to let the public know about possible security problems. He waited to release it in January until the information had been secured, he said. Under the law, companies and institutions must report data breaches to the state.
Like Wilton, he said security updates will always be needed, and he didnโt consider his own system to be out of the ordinary.
โRemember, this is in a private network in a town,โ Saunders said. โTo be honest, I
go into some town offices and they have their password taped on the computer, so that means if a custodian came in and said thatโs the password and goes into the system, they could also find information on peopleโs Social Security numbers and stuff.โ
Johnson said he hopes to work with lawmakers to change state law so potential breaches can be reported.
โI take issue with where we are today,โ Johnson said. โPeople need to know. If any of these municipalities ran a security audit of this network, they would find Social Security numbers. Itโs a known pattern of numbers; itโs something a good audit would uncover. I donโt know why I am the first one finding this.โ
