City Controller: Philly government IT asking, begging for a major hack

9:50 a.m.: This article has been edited to clarify that the City Controller’s press release indicates the possibility of password breaches throughout the city government IT infrastructure, not just the city Web site.

If only a hacker could manage to navigate the city’s Web site, the administration might be in trouble.

That log-in passwords are lax and that fired city employees can still access secure portions of the city’s Web site are just two claims of the 2008 General IT Controls Review of the city’s Division of Technology, released yesterday by City Controller Alan Butkovitz. The review found that some terminated employees and contractors still had active user IDs to one or more of the city’s systems.

“There’s a lack of communication between the DOT and the Office of Human Resources,” said Butkovitz, who is embroiled in a primary race.  “Once an employee or contractor is no longer with the City, all of their user ID and password information must be terminated immediately. The current practice exposes the City to substantial risks by allowing access to important financial data by unauthorized personnel.”

The city also has relatively weak password requirements giving easy access to its applications and services, the report claims. We can only assume this means Butkovitz wouldn’t approve me using “password” for all my passwords, including this one.

This is all asking for hackers or other intruders, Butkovitz said. No word yet on if his report will be as memorable as the time Geraldo Rivera drew future military operations in sand on national TV.

The review recommends that the city’s department of technology establish more stringent password requirements and revoke remote access to people who are no longer on city staffs.

“Strict security measures for computer applications are a necessity to prevent financial theft via the Internet as well as a barrier to identity theft,” he said. “The more difficult the city makes it for a hacker to access information the less likely that data can be stolen through the Internet.”

The review also found that the city’s Web security standards are not formally documented for items like firewall configuration, anti-virus configuration and account lockout settings, in addition to other gripes with the DOT, which is one of at least 26 different city departments responsible for information technology, a press release from the Butkovitz office said.

Butkovitz has tentatively agreed to a panel discussion with the two other Democratic candidates for City Controller before the May 19 primary election. The discussion, to be held by NEastPhilly.com, a community news site for Northeast Philadelphia, and WHYY [Full Disclosure: I helped organize the event as a contributor to both organizations] at the John Perzel Community Center in Mayfair on May 7, will include Brett Mandel and John Braxton.