Audit finds Missouri courts' record system lacks cybersecurity safeguards | St. Louis Public Radio

Audit finds Missouri courts' record system lacks cybersecurity safeguards

Aug 10, 2016

A state audit released Wednesday finds that court records in Missouri are not being thoroughly shielded from hackers and other unauthorized users.

The audit identifies potential weaknesses in the Judicial Information System, which is operated by the Office of State Courts Administrator.  The system is used to store case files, information on convictions and sentencing and financial records.

Missouri Auditor Nicole Galloway said potential weaknesses in the system could lead to unauthorized users tampering with data on prisoners, including sentences and release dates.

"The Office of State Courts Administrator has an obligation to ensure court information and records are handled securely and accurately, and with the responsible management of public dollars," Galloway said in a release. "The current system lacks necessary safeguards to identify inappropriate or unusual activity."

The findings include:

  • OSCA management has not fully established procedures to periodically review user accounts and to confirm access rights are appropriate.
  • User accounts are not routinely reviewed to determine if they have been accessed or used in a specified period of time. 
  • Twelve former OSCA or court employees still had access to the system after their employment ended.
  • Those with administrative privileges can log in and see others' passwords. 

Also, the audit found the courts administrator office has no long-range formal plan or budget in place for its information system, despite spending $218 million on the Judicial Information System.

Galloway’s recommendations include:

  • Periodically reviewing users' access rights to data and other information to ensure they are appropriately in line with employees' job duties and responsibilities
  • Identifying and evaluating inactive accounts
  • Ensuring lists of user accounts and related privileges to access the Judicial Information System are complete and accurate
  • Periodically providing applicable user information to the local court appointing authorities for review
  • Implementing procedures for the timely removal of user accounts and related access privileges upon employee termination
  • Investigating system changes to strengthen password controls, to reduce the risk of password compromise, and to help prevent unauthorized access; discontinue maintaining a centralized list of passwords

In a written response, the Office of State Courts Administrators said, in part:

"The Judicial Information System is deficient in its password capacity; however, (it) is only accessible through the court's network. There are approved network password guidelines which require complex passwords which must be changed at least every 90 days and force an inactivity logout every 15 minutes. The concern with JIS password limitations was raised in a previous audit and in response this issue is being addressed in development of (a new system, Show-Me Courts).  There are MCA-approved security policies which prohibit sharing of passwords. The deficiencies noted are JIS limitations and are being addressed in development of Show-Me Courts."

The full audit can be viewed here.

Follow Marshall Griffin on Twitter:  @MarshallGReport