SPRINGFIELD, Ill. (WREX) — The Illinois Auditor General has released a two year compliance report for the state's Department of Employment Security. While the audit addresses issues with finances and equipment records, the biggest takeaway is weakness in cybersecurity.
The report only covers issues within the department from July 1, 2017 to June 30, 2019. So, it does not include the massive data breach within the IDES unemployment system discovered this May.
Auditor General Frank Mautino wrote IDES is responsible for computer systems with large collections of confidential information: names, addresses, social security numbers and tax information. However, the audit explains the Department failed to classify data to ensure that information would be protected from cyber attacks.
"Department officials indicated due to the nature of the work done by the Department, almost all data sets are classified as high risk," stated Jim Dahlquist, Administrative Manager for the Auditor General's office. "However, this documentation could not be provided during the engagement, which resulted in the finding."
Knowledge of security policies
The Auditor General also conducted a test to see how many employees completed annual cybersecurity training. Mautino found roughly 10% of employees sampled didn't complete the mandatory training. He also states the Department didn't require new employees to complete the training after they were hired.
IDES officials told the Auditor General they continue to monitor employees to ensure they complete the training. "We cannot speculate how this issue may or may not factor in to the data breach in May 2020," added Dahlquist.
IDES officials have not responded to multiple requests from the Capitol Bureau for comment on the audit. However, some lawmakers are speaking out.
"No one is going to be able to run and hide from this issue," said Rep. Terri Bryant. "I'm not accusing anyone of doing anything nefarious, but I am accusing, I guess, of malpractice."
Working with personal devices
The Murphysboro Republican notes this investigation found a contractor was using a personal computer to work on payroll matters. The audit states IDES didn't have policies in place to safely remove payroll information from personal devices.
Bryant has been critical of the Pritzker administration's response to the recent data breach. However, she also happens to be a former external auditor for the Illinois Department of Corrections. While she isn't shocked by the findings in the audit, Bryant feels IDES is getting away with a slap on the wrist.
"If we had found a finding within the Department of Corrections that was this serious and didn't address it, heads would be rolling," Bryant exclaimed.
Bryant hopes to see a hearing with the Auditor General, IDES officials and the Pritzker administration before lawmakers return to Springfield in November.