According to the audit, which was released last week, the firm SAP failed to secure a "powerful account," allowing the auditor's office access to sensitive and confidential information for what the report called an "extended period of time." The report also found that the Administrative Services Department, which oversees the city's finances, failed to effectively manage SAP user accounts to ensure security.
"Such access could have allowed a motivated and sufficiently capable person to destroy or modify data, expose sensitive employee and customer information, or defraud the City," City Auditor Michael Edwards wrote in the report.
The SAP Enterprise Resource Planning application, which the city has been using since 2002, supports the city's accounting, finance, purchasing, human resource and utilities functions.
The auditor's office made its finding about breached security after a January incident in which the office was able to use a "default" password to tap into an account that should've been sensitive, including employees' Social Security numbers, payroll records and credit information. The account also granted the auditor's office access to create vendors and approve invoice payments, according to the audit.
Further investigation found that the account is usually "locked," but an SAP administrator "opened" it because of a technical issue during software installation last December. After the installation was completed, the SAP employee did not secure this account, the audit found.
The report also stated that the Administrative Services Department "did not have adequate policies and procedures to secure these powerful standard accounts," the audit stated. The department has since taken steps to identify and secure these accounts.
The report also found that the department "violated two critical security principles by not properly restricting access for all user accounts." The audit recommends that the department adopt formal policies addressing user access and implement procedures "to either prohibit or control the use of all other powerful system-provided SAP profiles."
In a response to the audit, Lalo Perez, director of the Administrative Services Department, wrote that staff has "made it a top priority to rectify" the security problems and has "taken action to address many of the findings in the audit." The security breach, he wrote, was limited to a very small number of city employees. Outside users, he wrote, would have to first breach a firewall and the SAP security system to access the account.
"While it is unacceptable that sensitive information was exposed, the limited number of staff with the ability to access the information is trained to access sensitive information while upholding confidentiality standards," Perez wrote.
He noted that over the past few months, his department has been working with the City Auditor's Office in developing a system to monitor the SAP system — a process that he said "has significantly improved the security of the SAP system."