Following a report last week that several websites established by the State of Vermont were vulnerable to a data breach, the state has restricted access to sensitive information on the sites, according to Scott Carbee, chief information officer for the Agency of Digital Services.
The move follows reporting by independent journalist Scott Krebs that hundreds of organizations — from banks to health care providers to the District of Columbia — were leaving exposed private and sensitive information from websites created using Salesforce Community software.
Krebs, a former Washington Post reporter who focuses on cybersecurity, wrote that the data exposure was caused by a misconfiguration in the software that allowed “an unauthenticated user to access records that should only be available after logging in.”
Krebs reported that at least five Vermont state websites were affected, including one related to the Department of Labor’s Pandemic Unemployment Assistance program. On that site, a person’s name, address, telephone number, email address, Social Security number and bank account number were vulnerable, Krebs wrote.
Carbee said that had been true until last winter, when his staff discovered the vulnerability to the Pandemic Unemployment Assistance website and closed off access to that information. Last week, after Krebs published his report, the state made similar changes to four other sites, according to Carbee.
Vermont state government uses Salesforce for customer-facing websites, such as those related to unemployment benefits, vaccine registration and grant applications, according to Carbee, and for many applications, including the Department of Labor’s Pandemic Unemployment Assistance program, the Cannabis Control Board and the Department of Liquor and Lottery.
Carbee told Krebs the vulnerable sites were created quickly during the Covid-19 pandemic and did not undergo the state’s normal security review process.
As for the information, “I would not characterize this as a breach,” Carbee said of the Salesforce problem, explaining that a breach involves a grab of data by someone with ill intent. Rather, he said, some data was exposed, but it would have taken a determined person to find the information.
“The exposure was not that somebody could go in, harvest all the data out of our Salesforce site and go away,” Carbee said. “They had to be very deliberate in the way that they went into the site, the way they searched the site, and then they could search one record at a time.”
Carbee said the Agency of Digital Services has not found any evidence of any unauthorized access to the exposed information on state websites.
Except for the Pandemic Unemployment Assistance program, according to Carbee, the only vulnerable information on state websites was people’s names, addresses and telephone numbers.
As far as the Agency of Digital Services can determine, Carbee said, there is no evidence that any information was actually accessed.
