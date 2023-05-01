MONTPELIER, Vt. (WCAX) - Did a state software program expose your personal information? The Vermont Agency of Digital Services is reviewing several state websites after it was discovered they may be leaking information about Vermonters’ private data.

Vermont uses the cloud-based software Salesforce for some online human services. Examples of that use include filing pandemic unemployment benefits or COVID-19 vaccine signups.

It requires users to log in to access many features. But a recent report from a national cybersecurity expert, Brian Krebs, found some guest users could access information meant to be behind closed doors. And in the case of the Pandemic Unemployment Assistance program, people could access names, addresses and even Social Security numbers.

“That rapid building of those applications led to a shortcutting of the normal process,” said Scott Carbee, the chief information officer of the Vermont Agency of Digital Services.

Carbee says during the pandemic, some Salesforce programs were created quickly. He says, yes, the personal information of Vermonters was available to bad actors posing as guest users, but accessing that sensitive information would be difficult.

“You had to be a very determined individual to get in to find a single record and you had to use that same determination to find another record and another record,” Carbee explained.

Carbee says they’ve now sealed the websites and personal information.

A Salesforce spokesperson told WCAX News the potential leak was a result of how some settings were configured, not faulty software. And they say they provide tools and guidance on security and privacy to customers like the state of Vermont.

“It’s just another breach, another day,” said George Silowash, the chief information officer at Norwich University.

Silowash says Salesforce is ubiquitous online and is used by all levels of government and in the private sector.

He says keeping websites secure can be complex and time-consuming.

“They’re very complex and they require teams of people to manage the security of the product. Oftentimes they are not secure by default and sometimes organizations need to take steps to increase the security of that platform,” Silowash said.

Back in Montpelier, Carbee says it’s unlikely personal data was compromised. But he says if anyone is concerned, the Agency of Digital Services will look into it.

