VERGENNES — Local municipal officials last week assured residents and employees their data was safe in the wake of news released the week before that software used by many county and Vermont towns contained security vulnerabilities.
At issue is a VTDigger.org report, published in the Independent on Feb. 7, that South Burlington consultant Brett Johnson had discovered “flaws that exposed sensitive information including Social Security numbers” in popular accounting and other software from Fairfax firm New England Municipal Resource Center, or NEMRC.
According to VTDigger, Johnson found the NEMRC issues “after he was hired to do IT work for two Vermont towns in 2017. He said he found it would be easy for a hacker to gain access to municipal workers’ Social Security numbers and to their banking and routing information.”  
But local treasurers, clerks and managers in Middlebury, Ferrisburgh and Vergennes said NEMRC quickly acknowledged and patched the vulnerabilities, that each local office had additional strong third-party protection, and that each followed practices to minimize the likelihood of security breaches.
Vergennes City Clerk Joan Devine said she had spoken directly to NEMRC founder and company head Ernie Saunders.
“He said you can have your own IT people go in and search if you need any more assurance, but he said we have taken out any vulnerabilities,” said Devine, who along with other Vergennes City Hall employees uses NEMRC to handle tax and water/sewer billing, tracking the grand list, accounts payable, payroll and dog licenses.
Ferrisburgh Treasurer Deb Healey said her town — which uses NEMRC software much in the same manner as Vergennes — routinely and immediately installs updates and patches coming from NEMRC. Those patches included a patch that arrived about a year ago when Johnson brought the issues to the company’s attention.
“When they were made aware of this fault there were some strong emails coming out saying, ‘Look, we’re sending out patches. Do it,’” Healey said. “And I always did anyway, so it wasn’t a big deal.”
All of the towns contacted require employees to use separate passwords, and Middlebury Treasurer Jackie Sullivan said her town also took the extra step of changing theirs.
“We have taken the advice of NEMRC and strengthened all our passwords, and it’s always been the case where each user has their own password,” said Sullivan, whose town uses NEMRC software for roughly the same list of tasks as Ferrisburgh and Vergennes.
Each of the towns has also farmed out their IT work, including security, to an outside firm. Middlebury and Ferrisburgh use Middlebury’s The Top Floor, while Vergennes relies on Symquest.
Sullivan said Middlebury’s security is so tight that every now and then employees have difficulty logging on.
“There have been times the redundancy is so strong it’s hard to get in,” Sullivan said. “We work around that, and they (Top Floor) work with us to get us there. I’d say it’s very, very strong.”
Town clerks noted the only place where Social Security numbers are recorded are in payroll accounting. Devine said between Symquest protection and the city’s in-house procedures that data was well protected even before the NMREC patches.
“The probabilities of getting through our system to get at those vulnerabilities were very small,” Devine said.
Vergennes City Manager Matt Chabot agreed with that assessment after talking with NEMRC and Symquest.
“Both entities felt our system was fully secure. There were opportunities, obviously, initially. But the steps that have been taken provided the adequate amount of security,” Chabot said.
Chabot addressed the issue of cyber security with the city council at its Feb. 12 meeting.
“The best advice is kind of the tried and true, which is ensuring that we are doing periodic password changes, and not sharing passwords between staff, and as I said to the city council, the age-old ‘don’t have your password taped to your monitor,’” Chabot said.
He adding that password-taping tactic was “not a best practice we will be implementing.”
None of the local officials contacted reported any breaches or attempted breaches of data, and according to VTDigger no towns have reported any breaches due to NEMRC system, citing the Vermont League of Cities and Towns as a source.
“We’ve experienced no problems to my knowledge,” Sullivan said.
Nor do officials statewide appear to be overly concerned. Devine said she has been following discussions on a Vermont clerks’ discussion board regarding NMREC.
“I have not run into one clerk who said, ‘We’re shutting ours down,’” Devine said.
Healey summed up things up for local residents.
“I would say they can rest assured that we are doing everything that we can possibly do to make sure that all of the data is kept safe and secure,” Healey said. “We don’t feel there is any reason for alarm.”
Of course, Devine said, the world is full of bad actors with keyboards.
“We’re in a hacking world right now,” Devine said. “No matter what they put out there, someone is going to try to outsmart it, and may succeed.”
Andy Kirkaldy may be reached at [email protected].