Last week, a Utah man with at least some basic coding skills contacted a local media outlet claiming he had discovered a security vulnerability in the state website used to manage accounts for the Utah Dept. of Transportation (UDOT) Express Passes. Once the media outlet contacted the state, workers at the Dept. of Technology Services (DTS) took the site down and went to work patching the issue and looking into what – if any – data had been compromised.
“We work constantly to minimize vulnerabilities in our systems and to protect personal data of Utah citizens,” says Mike Hussey, executive director of DTS, who was a guest on the CYBER24 podcast this week. “When we discover a vulnerability we close it immediately and work quickly to resolve the issue.”
In this case, the system vulnerability was linked to a program run by a third-party vendor. This same vendor, ETAN, handles similar systems in several other states across the country. UDOT and ETAN examined access logs and quickly narrowed the field of potential compromised accounts from 21,000 to 284 – within a day they had concluded there was no loss of data beyond that accessed by the individual who discovered and reported the vulnerability.
Data breaches are increasingly in the news, but Hussey points out that discovering vulnerabilities in systems and patching them is a common occurrence and an important part of keeping systems secure.
“There is an important difference between a the discovery of a vulnerability and actual data loss,” says Hussey. “We have multiple layers of defense and our systems worked.”