Private, personal information such as full legal names, drivers license and Social Security numbers of thousands of citizens and current and former City and County of Denver employees were accessible to as many as 10,000 city workers, an audit by the city auditor found.

No evidence of unintended, improper or illegal viewing or access was found, but the audit report warned it pointed out the risk and liability if such personally identifiable information had led to fraud or identity theft.

Auditor Timothy O’Brien noted the recent news of one billion people having their personal information accessed through a hack into Yahoo’s system pointed to the seriousness of the issue.

“I know Denver doesn’t want to be on that list,” he said.

In Denver, the audit found access was through unsecured computer network folders viewable by city and county employees, as well as printed records awaiting disposal in a box, stored in a public area without a lid. That information included thousands of drivers license and Social Security numbers, along with full legal names.

The city collects personal information to ensure eligibility and correctly identify people who apply for services or benefits, such as child welfare, food assistance, and temporary assistance for the elderly or for people living with a disability. In other instances, the city collects information on illness, disease, and death occurring in the city through the Office of the Medical Examiner.

Info on ex-employees could have been seen by thousands

Senior Information Technology Auditor Karin Doughty told the Independent Audit Committee Thursday, Dec. 15, that one folder had information on some 2,400 former employees, including birth dates and Social Security numbers that could have been accessed by around 10,000 city employees on a city computer with the credentials to use the city network.

Among the issues the audit listed as contributing to the problems were no comprehensive inventory of intake points for this type of information or storage locations; a low completion rate for the city’s annual security training, which includes general concepts such as safeguarding and protecting private information; and a lack of public transparency regarding how the information is collected and stored.

Information Technology Audit Supervisor Shannon Kuhn noted the audit found the city lacks a comprehensive citywide strategy for safeguarding such information, with the breakdown in internal controls due to outdated policies and inconsistent practices for safeguarding of this type of information.

Kuhn added current policies on records management and data classification and handling had not been updated since 2012 and 2011, respectively.

“Some of the agencies we talked to were unaware of these policies and procedures and were relying on their own policies,” she said.

When the audit was conducted, only 40 percent of city employees were found to have completed the required annual training on safeguarding personal information, Kuhn stated.

Changes in the making to prevent access

Chief Performance Officer David Edinger said Mayor Michael Hancock’s office agreed with all the recommendations in the audit report, which are due to be in place by the end of March.

Scott Cardenas, chief information officer in the city’s technical services department, explained the unauthorized access to computer folders resulted from security and software updates that affected how credentials did and did not allow access. He also noted employee training compliance was now at 58 percent.

Stephen Coury, chief information security officer in the technical services department, added the department was considering more “user-friendly” security tools and would identify “data stewards” in each agency or department to oversee information access in that area.

Coury added the department was likely to take a “disciplined” approach to the required employee training, with denial of computer network access a possible repercussion for those who do not complete the training.