Vermont Department of Taxes Discloses Vulnerability That Lurked for Three Years

Last week, the Vermont Department of Taxes announced a security vulnerability that lurked in its internal systems for over three years. Starting in February 2017, Property Tax Transfer documents sent to towns to become public land records improperly included credentials that could be used to access personal information, including Social Security Numbers, of the buyer and seller of the property.

In other words, if you bought or sold property in the last three years, you paid a tax and filed documents with the Department of Taxes. The Department then turned over parts of the document to the town in which the sale occurred, where they became part of public land records. Anyone who then accessed those records– think real estate agents and attorneys, not to mention town employees– could use the “password” that was improperly included on the document to view further details on the Tax Department website, including your Social Security Number.

In the grand scheme of security breaches, this isn’t that bad. As Vermont Tax Commissioner Craig Bolio put it in an interview with VTDigger: “It’s not as if you could walk into a municipal office and get private tax data”. That’s true, but as I see it. there are a few complicating factors:

1. Were these records stored electronically by the towns? Many towns in Vermont have poor cybersecurity, so if they were subject to a breach themselves, then the sensitive data could have been stolen from them.
2. Seemingly, the Department of Taxes is using a single, shared user account or possibly just a shared password to sign in to their system and view the full records on a Property Transfer. From a security perspective, shared accounts/passwords are a major no-no and speak poorly to the Department’s security overall.
3. Due to the dispersed nature of the data, there is no way to know exactly who might have accessed the data or how many people are affected. It’s not as if all 250+ municipalities in the state all kept meticulous track of records requests.

Our take: this incident isn’t a red alert, exactly, but it makes one wonder how secure state government systems are. Based on experience and precedent, the answer is probably “not very.” So, this is just another drop in the bucket. When some unsuspecting person falls prey to identity theft and can’t imagine why, they should think of how many incidents like this occur every year.

Read more from the horses’ mouth here.