© 2024 KSMU Radio
DONATE
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations
We’re in our Spring Fundraiser and you can help! Support KSMU programming today!
Missouri Legislature
Covering state lawmakers, bills, and policy emerging from Jefferson City.

Audit finds Missouri courts' record system lacks cybersecurity safeguards

St. Louis Public Radio | By Marshall Griffin
Published August 10, 2016 at 6:32 PM CDT
Missouri Auditor Nicole Galloway found the online records system used by Missouri courts gives those with administrative privileges the ability to see users' passwords.
Angus Kingston | Flickr
Missouri Auditor Nicole Galloway found the online records system used by Missouri courts gives those with administrative privileges the ability to see users' passwords.

A state audit released Wednesday finds that court records in Missouri are not being thoroughly shielded from hackers and other unauthorized users.

The audit identifies potential weaknesses in the Judicial Information System, which is operated by the Office of State Courts Administrator.  The system is used to store case files, information on convictions and sentencing and financial records.

Missouri Auditor Nicole Galloway said potential weaknesses in the system could lead to unauthorized users tampering with data on prisoners, including sentences and release dates.

"The Office of State Courts Administrator has an obligation to ensure court information and records are handled securely and accurately, and with the responsible management of public dollars," Galloway said in a release. "The current system lacks necessary safeguards to identify inappropriate or unusual activity."

The findings include:

  • OSCA management has not fully established procedures to periodically review user accounts and to confirm access rights are appropriate.
  • User accounts are not routinely reviewed to determine if they have been accessed or used in a specified period of time. 
  • Twelve former OSCA or court employees still had access to the system after their employment ended.
  • Those with administrative privileges can log in and see others' passwords. 


Also, the audit found thecourts administrator office has no long-range formal plan or budget in place for its information system, despite spending $218 million on the Judicial Information System.

Galloway’s recommendations include:

  • Periodically reviewing users' access rights to data and other information to ensure they are appropriately in line with employees' job duties and responsibilities
  • Identifying and evaluating inactive accounts
  • Ensuring lists of user accounts and related privileges to access the Judicial Information System are complete and accurate
  • Periodically providing applicable user information to the local court appointing authorities for review
  • Implementing procedures for the timely removal of user accounts and related access privileges upon employee termination
  • Investigating system changes to strengthen password controls, to reduce the risk of password compromise, and to help prevent unauthorized access; discontinue maintaining a centralized list of passwords


In a written response, the Office of State Courts Administrators said, in part:

"The Judicial Information System is deficient in its password capacity; however, (it) is only accessible through the court's network. There are approved network password guidelines which require complex passwords which must be changed at least every 90 days and force an inactivity logout every 15 minutes. The concern with JIS password limitations was raised in a previous audit and in response this issue is being addressed in development of (a new system, Show-Me Courts).  There are MCA-approved security policies which prohibit sharing of passwords. The deficiencies noted are JIS limitations and are being addressed in development of Show-Me Courts."

The full audit can be viewed here.

Follow Marshall Griffin on Twitter:  @MarshallGReport

Copyright 2016 St. Louis Public Radio
Tags
Politics Missouri LegislatureMissouri Auditor Nicole GallowayJudicial Information System
Marshall Griffin
St. Louis Public Radio State House Reporter Marshall Griffin is a native of Mississippi and proud alumnus of Ole Miss (welcome to the SEC, Mizzou!). He has been in radio for over 20 years, starting out as a deejay. His big break in news came when the first President Bush ordered the invasion of Panama in 1989. Marshall was working the graveyard shift at a rock station, and began ripping news bulletins off an old AP teletype and reading updates between songs. From there on, his radio career turned toward news reporting and anchoring. In 1999, he became the capital bureau chief for Florida's Radio Networks, and in 2003 he became News Director at WFSU-FM/Florida Public Radio. During his time in Tallahassee he covered seven legislative sessions, Governor Jeb Bush's administration, four hurricanes, the Terri Schiavo saga, and the 2000 presidential recount. Before coming to Missouri, he enjoyed a brief stint in the Blue Ridge Mountains, reporting and anchoring for WWNC-AM in Asheville, North Carolina. Marshall lives in Jefferson City with his wife, Julie, their dogs, Max and Liberty Belle, and their cat, Honey.
See stories by Marshall Griffin