VERMONT — An outdated software that is used by about 200 Vermont municipalities and the Vermont Tax Department has long contained flaws that exposed sensitive information including Social Security numbers, according to an IT consultant and the software company’s founder.
New England Municipal Resource Center, or NEMRC, is software that cities and towns use for managing functions such as utility bills, tax bills, land records, and dog licenses. NEMRC was started by Ernie Saunders at his home in Fairfax in 1984, and Saunders still runs the company from his home, now with 23 employees around the state.
South Burlington IT consultant Brett Johnson said he discovered security flaws so serious that he is now talking to lawmakers about changing reporting requirements to include potential data breaches, not just data breaches that have already occurred. Johnson wrote a report on the matter in January.
Johnson, who owns an IT company called simpleroute, became aware of the NEMRC flaws after he was hired to do IT work for two Vermont towns in 2017. He said he found it would be easy for a hacker to gain access to municipal workers’ Social Security numbers and to their banking and routing information. Some of that information had been available on city and town websites since 2006, he said.
The network uses a discontinued Microsoft program called Visual FoxPro that was created in 1984. Microsoft stopped providing support for the version used by NEMRC in 2010, Johnson said.
“You could make a strong case that Visual FoxPro shouldn’t be used on a government level,” Johnson said.
He said information was stored in such a way that in some places, anyone who uses the town system would have access to it. In others, a knowledgeable outsider could easily gain access, he said.
“In some towns, you might find the garage mechanic had access to NEMRC,” Johnson said. “You add up all those workers, and all it takes is one bad actor at some of those towns.”
No towns have reported any information breaches as a result of the NEMRC system, according to the Vermont League of Cities and Towns.
The state of Vermont Tax Department uses NEMRC to compile grand list information, said John Quinn, the secretary of the state’s Agency of Digital Services, who only learned of the security problems with NEMRC when contacted by a reporter.
“Our security team has already started looking into it and making sure the security vulnerabilities have been filled,” said Quinn. He added that his office had already planned to replace the system, and has an RFP going out this week for that work.
“It’s an outdated system and an outdated technology,” Quinn said of the NEMRC system.
Vermont Assistant Attorney General Ryan Kriger said Tuesday that his office was aware of the case and monitoring it.
Saunders, NEMRC’s owner, acknowledged that there had been security problems but said he’s now addressed them.
“I wouldn’t say it’s not true,” he said of Johnson’s report. “I agree that it was vulnerable.” He added that he welcomed Johnson’s scrutiny and report because it helped him patch some flaws. Johnson contacted him about the problems about a year ago, he said.
“I immediately sent that over to my head programmer and said, ‘Scott, let’s look into these,’” Saunders said. “And that’s what we did. There are always vulnerabilities in any system, and they did a good job doing a deep dig on looking for vulnerabilities.”
NEMRC’s software is much less expensive than the alternatives available on the national market, said Johnson, Saunders and Wendy Wilton, who was treasurer for the city of Rutland for 10 years. She said Saunders was very responsive to any problems that were revealed.
“The fact is, it’s a real bargain, and I always felt like we had a good, safe system,” said Wilton, who said she worked closely with Saunders. “Nobody ever hacked it.” She noted that responding to security problems that arise “is part of the process” with any software. And the software’s age is what makes it so affordable, she said.
Updating the software from Microsoft is unnecessary, she said, because it can be done in-house.
“You can write the code,” Wilton said. “That’s what Ernie and his team do. Even if Microsoft might not support FoxPro, you can still write in it, and make encryptions happen, and adjust the software; they did this while I was there.”
Johnson said he wrote his report on NEMRC because there’s an understanding within the IT community that it’s important to let the public know about possible security problems. He waited to release it in January until the information had been secured, he said. Under the law, companies and institutions must report data breaches to the state.
Like Wilton, he said security updates will always be needed, and he didn’t consider his own system to be out of the ordinary.
“Remember, this is in a private network in a town,” Saunders said. “To be honest, I go into some town offices and they have their password taped on the computer, so that means if a custodian came in and said that’s the password and goes into the system, they could also find information on people’s Social Security numbers and stuff.”
Johnson said he hopes to work with lawmakers to change state law so potential breaches can be reported.
“I take issue with where we are today,” Johnson said. “People need to know. If any of these municipalities ran a security audit of this network, they would find Social Security numbers. It’s a known pattern of numbers; it’s something a good audit would uncover. I don’t know why I am the first one finding this.”