DENVER — New public records reveal security issues with the state’s new finance and accounting system are putting thousands of state employees’ and contractors’ personal information at risk.
Earlier this summer, A FOX31 Denver investigation warned about problems within the Governor’s Office of Information Technology (OIT), including questionable decisions surrounding a multi-million dollar state-wide computer project known as CORE.
Last summer, before the July 1st CORE launch, insiders cautioned that the computer system was vulnerable to “outside eyes” which could tap into a large databank of sensitive personal data.
The fear of that kind of breach gained even more credibility this month.
FOX31 Denver has obtained a letter, written by Colorado Secretary of State Scott Gessler on August 29 and addressed to Governor John Hickenlooper.
“There is a table within CORE that exposes thousands of employees’ and contractors’ sensitive financial information … this table can be accessed by roughly 300 CORE users across the state and includes the name, bank account number, bank routing number, and social security number for employees who have received reimbursements from the state as well as for state contractors who have received payments from the state. Data for thousands of state employees and contractors is exposed in this table.”
OIT and the Department of Personnel & Administration are both involved in CORE’s development and implementation.
Executive Director of DPA, Kathy Nesbitt, responded for the Governor explaining that the old financial system had similar in-house openness issues.
“This access was needed to add new vendors to the system … a regular, ongoing activity. We worked with department controllers to identify the fewest number of employees needed to support this activity without jeopardizing operations. We were able to reduce the access to just 70 employees in CORE as a short-term fix. The long-term fix is to centralize access.”
Prior to Gessler sending the letter, FOX31 Denver investigative reporter Chris Halsne sat down with Suma Nallapati, who was recently chosen as the Governor’s new Chief Technology Chief for OIT.
She addressed security concerns raised by IT managers before CORE launched, telling Halsne, “From a technical side, we had all our ducks in a row in terms of the security aspect, having infrastructure in place to transfer files, things like that.”
Nallapati says she’s proud that she is not only a manager, but a programmer.
She admits that the CORE project was behind schedule for completion, but that OIT employees and outside vendors, like CGI, made critical adjustments to keep the project moving forward.
“For a project of this size, I don`t expect everything to be green all the way to the end,” Nallapati said during an on-camera interview. “So we sat down as a leadership team, looked at what the critical path was for the project success and we ensured we had absolutely great working solutions in place.”
Insiders told FOX31 Denver last summer their number one concern with CORE was the state was so rushed to get it done on time, they ignored security holes which exposed sensitive financial and personal information of taxpayers and state employees.
An IT manager, with intimate knowledge of OIT operations and the CORE project told FOX31 Denver in June that, “These are catastrophic failures that will expose millions of sensitive records to identity theft and they already happened in this state whether citizens know or not — there have been massive exposure of personal data in the clear because of poorly designed systems and vendor failures.”
Nallapati responded to overall concerns by telling Halsne, “I can`t answer all of the questions about how it was done in the past, but when I joined the team I ensured the critical path items was absolutely in a green status. Otherwise, we would have pulled the plug.”
Lawmakers aren’t so sure and are calling for their own investigation into CORE.
Colorado State Senator Lucia Guzman tells FOX31 Denver the Legislative Audit Committee recently approved an audit of the CORE system by a vote of 7 to 1. Senator Guzman explains, “It gives out auditors the right for a 40-hour preliminary audit and the auditor will bring that back to us in a few months and let us know if those findings say this is an important way to go.”
Guzman says the decision for the audit comes after some lawmakers saw FOX31 Denver’s original investigations into allegations of nepotism, no-bid contracts and fraud within the Governor’s Office of Information Technology prior to Nallapati’s arrival.
FOX31 Denver will publish the audit findings as soon as it’s completed.