Audits: Ex-employees' computer access leaves Mpls. open to breach
Two separate audits have found Minneapolis failed to terminate the computer accounts of some former city employees, leaving city systems vulnerable to a data breach.
In one case, detected by the Minneapolis Internal Audit department, a former payroll supervisor retained the ability to make changes to the city's personnel database months after leaving her job. That system is considered especially sensitive, because it is accessible over the Internet.
In a separate review earlier this year, the Office of the State Auditor found three former employees in the finance department still had access to the city's general ledger, its central bookkeeping system.
"When terminated employees have access to city systems, it increases the risk that malicious damage to the city's data files and systems, fraud, and/or misstatements may occur," the state auditor's report said.
Create a More Connected Minnesota
MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.
The reasons the accounts were left open varied. In some cases the city failed to tell its information technology vendor, Unisys, to disable access to the finance system. In another case, the city did inform Unisys, but the employee's last name had changed, and so the account remained active.
The city's own review didn't determine why the additional accounts remained active.
"The fact that they still have access is enough for us to say there's a problem here," Internal Audit Director Will Tetsell said.
While allowing any terminated employee ongoing access to the city's computer systems is problematic, Tetsell's audit vastly overstated the extent of the vulnerability. It erroneously concluded that more than 700 ex-employees still had active logins.
After examining the data, MPR News discovered many of the "former" employees on the list weren't former at all.
"I'm still here," said Intergovernmental Relations Director Gene Ranieri, who was listed as terminated in the city's human resources database.
In addition to his work as the city's top lobbyist at the state Capitol, Ranieri also pitches in at the polls as an election judge — so every year, he's hired for one day and terminated from that job shortly afterward. City Council President Barbara Johnson showed up on the list for the same reason.
The internal audit also swept in current employees who had a gap in their service to Minneapolis, including an assessor who returned to the city after a brief stint at Dakota County.
Timothy Homstad, a consultant who analyzed the data for the city, acknowledged what he called "an error in my logic" leading to the inflated numbers in the internal audit report.
Homstad revised his analysis and found the number of terminated employees with active computer accounts was far smaller than 700. In fact, just three were clearly problematic. There were another 576 — mostly seasonal Park Board employees — where the city's data was insufficient to determine if the accounts were legitimate.
The city's technology department says there's no indication of a data breach, although neither it, nor the human resources department has checked for one. Until MPR News began raising questions about the audit, the HR department hadn't even reviewed the list of names flagged in the audit.
The HR department is reviewing a longstanding practice of allowing terminated employees to access their personnel data for 30 days after they leave the city. Many private companies terminate access to those systems immediately.
"Your credentials should be shut off even minutes prior to you walking out the door with your box of belongings," said cyber security expert Mark Lanterman, chief technology officer of Minnetonka-based Computer Forensic Services.