Very bad things happen when security protocols are neglected. Just ask Stephen Fletcher, the now-former CIO for the state of Utah. Fletcher was fired by Gov. Gary Herbert this week over the March data breach that compromised the personal and medical information of about 780,000 Utahns. Two of Fletcher’s former employees are under investigation in connection to mistakes that led to the breach.
Somebody fell asleep at the switch — or server, as it were — allowing hackers in Eastern Europe to slip right into the state’s Medicaid database. They slipped out with hundreds of thousands of birthdates, names, addresses and social security numbers, among other useful tidbits. It’s believed that, by exploiting an unchanged default password on the user-authentication layer of the system, they were able to bypass multiple layers of security controls. Yes, a default password cost at least one person his job, more than half a million people their privacy and millions in taxpayer dollars to clean up the mess.
Herbert said he sought the CIO’s resignation because Fletcher lacked “oversight and leadership.” Ouch. Maybe this wouldn’t sound so bad if, as several accounts suggest, Fletcher weren’t so good. Since he was named the state’s CIO in 2005, Utah has emerged as a leader in government tech and innovation, and Fletcher has been credited with leading the state to successful enterprise-wide IT consolidation and centralization. He’s a past president of the National Association of State Chief Information Officers and a past recipient of Government Technology‘s “Top 25 Doers, Dreamers and Drivers” award. But now a default password overshadows all of that.
Fletcher told Government Technology that the incident was preventable and is an example of why more funding is needed to protect government IT systems. In just the past four months, he said, cyberattacks on the state’s technology system have spiked 600%. But Fletcher also bemoaned the fact that this would overshadow all of the good work done by his department — the cost savings, the consolidation, the presence of more than 1,000 online services for residents.
Whether Fletcher is personally at fault is still under investigation, but he certainly has taken the fall. One would hope security protocols at least existed — if not, the blame surely lies at his feet. If they were in place and employees simply didn’t follow them — well, the blame still falls on Fletcher. In the end, he is the leader in this scenario, and unless it can be proved his team members maliciously left the server vulnerable, it’s his job to make sure they do theirs.
Certainly, this is an extreme example of what can go wrong when security protocols are not adhered to (or are possibly nonexistent), but nonetheless one worthy of every CIO’s attention. Handling security and compliance is a balancing act and a team effort. Stories like this one are sobering reminders that, while it isn’t easy, steadfast attention to managing information risk has value beyond measure.