All clear? Server exposure from Illinois vendor with access to driver’s license data raises questions

The exposure has raised the eyebrows of at least one top watchdog, Cook County Inspector Patrick Blanchard, who told the Sun-Times both offices should not only look into what was exposed — but also how it could have occurred.

SHARE All clear? Server exposure from Illinois vendor with access to driver’s license data raises questions
City Clerk Anna Valencia and Secretary of State Jesse White

City Clerk Anna Valencia, left, in June; Secretary of State Jesse White, right, in 2016. File Photos.

Rich Hein/Chicago Sun-Times;| Santiago Covarrubias/Chicago Sun-Times

A computer server of a vendor with city and state contracts to sell Illinois license plate stickers and Chicago vehicle stickers at currency exchanges was exposed to the Internet in May — although city and state officials insist there was no security breach.

But that’s not enough for one Cook County watchdog, who says officials need to conduct a thorough investigation to determine what exactly was exposed and how the mishap occurred before they can give the all clear sign.

“It sounds like they’re making a guarantee, which always worries me,” Cook County Inspector General Patrick Blanchard said.

Despite provisions in Electronic License Service LLC’s contracts with both the Illinois secretary of state and the Chicago city clerk’s office that outline the steps to take after a potential security breach — including a secretary of state guideline to hire a “forensics expert” to conduct an investigation — both offices say there’s nothing to worry about.

ELS is one of five companies with contracts with both the Illinois secretary of state’s office and the city clerk of Chicago to allow it to sell stickers at currency exchanges. It’s owned by John Iberl, who runs the Illinois Community Currency Exchange PAC, which has donated to both Illinois Secretary of State Jesse White and former City Clerk Susana Mendoza. He’s also donated to Mendoza’s comptroller campaign fund.

State Comptroller Susana Mendoza

State Comptroller Susana Mendoza in, 2018. File photo.

Rich Hein/Chicago Sun-Times file

As a vendor, ELS has access to government systems and the personal information of hundreds of thousands of customers. The company is estimated to have generated almost $40 million since 2017 from Illinois and city residents buying city stickers and license plate registrations. The company has processed more than 3.7 million license plate stickers and more than 844,000 city vehicle stickers, since 2017, generating $4.6 million in fees from the sale of city stickers.

The development server, commonly referred to as a Jenkins server, was exposed to the Internet in May, according to a screen grab of the server at the time of the breach, obtained by the Sun-Times. The “workspace” folders included ones with labels that contained “city-sticker-2009” and “chi_parking” and “citysticker,” among others. It also contained a “.git” file, which in some cases is used to store credentials to allow access to databases.

The clerk’s office said activity was detected on the development server, and it was “flagged.” The office said there was no data breach, just “ activity.”

Chicago City Clerk Anna Valencia in 2018

Chicago City Clerk Anna Valencia in November. File Photo. | James Foster/For the Sun-Times

James Foster/For the Sun-Times file

“Earlier this year, activity was detected on one of ELS’ development servers, and immediate steps were taken to identify the activity,” clerk’s office spokeswoman Kate LeFurgy said in a statement. “There was no impact on the Office of the City Clerk’s data. The server and associated activity were not related to the Office of the City Clerk.”

The secretary of state’s office said, “our office confirmed that there was no compromise of SOS data involved.”

Secretary of State Jesse White

Secretary of State Jesse White displays the new design for Illinois license plates in 2016. File Photo.

Andy Grimm/Chicago Sun-Times

ELS owner Iberl said in an that he was “not authorized to comment to the media.”

Blanchard said the server exposure warrants a closer look, and an internal assurance by both offices that all is clear isn’t enough.

Blanchard said he conferred with data experts in his office, who agreed “a lot more information needs to be obtained before somebody could even begin to assess what issues may be at play.”

Blanchard said both the secretary of state’s office and the clerk’s office should be looking into the scope of the breach, if there was one, as well as how it happened and how it could occur.

Cook County Inspector General Patrick Blanchard

Cook County Inspector General Patrick Blanchard in his loop office in 2012.

Tom Cruze/Chicago Sun-Times file

There are several provisions for breaches in ELS’ contracts with both offices, which include reporting it to the secretary of state’s office within 24 hours “via telephone and in writing, any unauthorized access, use or or misuse of the SOS information and/or computer system, including any suspected or actual breach.” If a data breach is confirmed, there’s also a provision for the secretary of state’s office to hire a forensics expert to “conduct a full and thorough investigation” and report the findings at the developer’s expense.

Per the contract with the city clerk, ELS must contact the city if security of any protected information was breached and provide that information to the city. ELS, too, if requested by the city, would have to notify affected individuals if a breach happened.

Illinois also has the Illinois Personal Protection Act, which requires companies with personal information about state residents to maintain security measures to protect data from unauthorized access. It also specifies required actions if a data breach happens, like notifying Illinois residents of a breach to their data as soon as possible and without delay.

If a data breach does happen, consumers are also able to sue the company under the Consumer Fraud and Deceptive Business Practices Act. And the Illinois Attorney General could bring action against a company with violations and seek an injunction or fine them.

Screenshot_2__1_.jpeg

Image of an ELS development server exposed to the Internet in May

Provided photo

The Federal Trade Commission also has guidelines, calling a breach any time hackers take personal information from a server, an insider steals customer information or if information was “inadvertently exposed” on the Internet. The FTC recommends hiring independent forensic experts to determine the source and scope of the breach.

The Latest
The 21-year-old was found in the basement bathroom of a home in the 200 block of West 105th Street with a gunshot wound to the head.
Xherdan Shaqiri gave the Fire a 3-2 lead in the 89th minute, but it lasted only two minutes as Patryk Klimala scored to keep the Fire in search of their first victory since March 19.
The Sox’ sputtering offense had 10 hits but went 3-for-13 with runners in scoring position
The male, whose age was unknown, was taken to the University of Chicago Medical Center where he was pronounced dead.