The GovQA system, utilized by numerous state and local governments for managing public records requests, contained vulnerabilities that could have exposed sensitive personal information to hackers, including IDs, fingerprints, and medical reports. Discovered by cybersecurity researcher Jason Parker, these flaws also allowed potential manipulation of records metadata without detection. Despite Granicus patching the vulnerabilities, the incident underscores the critical need for robust security measures in handling public records access.
Parker’s findings raised concerns about the potential exposure of personally identifying verification information submitted by requesters, even in anonymized Freedom of Information Act requests. This information could have been exploited by bad actors to access sensitive data tied to both requesters and the subjects of their inquiries. Granicus acknowledged that the flaws centered on data access within anonymous requests, prompting the implementation of a new process requiring requestors to create a username and password while preserving anonymity.
The vulnerabilities, exploitable through web developer commands, highlighted the risk of unauthorized access to sensitive information within the GovQA platform. Granicus assured that no intrusion to GovQA or its infrastructure occurred, and the company swiftly deployed patches to address the identified vulnerabilities. However, the incident underscores the broader challenges faced by public sector digital records systems across multiple states, emphasizing the necessity for continuous vigilance and proactive security measures to safeguard sensitive information from potential breaches.
