IT Firm says 200 Vermont Municipalities at Risk by Legacy Software

2019, Breaches, February

Who: 200 Vermont municipalities and the Vermont Tax Department

# of Accounts Breached: None

What was happened: New England Municipal Resource Center, or NEMRC, is legacy software that cities and towns use for managing functions such as utility bills, tax bills, land records, and dog licenses.

When it happened: February 5, 2019

How it happened: IT consultant Brett Johnson said he discovered security flaws so serious that he is now talking to lawmakers about changing reporting requirements to include potential data breaches, not just data breaches that have already occurred. The network uses a discontinued Microsoft program called Visual FoxPro that was created in 1984. Microsoft stopped providing support for the version used by NEMRC in 2010. NEMRC’s owner acknowledged that there had been security problems but they had been addressed. There are always vulnerabilities in any system. The Rutland’s longtime treasurer Wendy Wilton said “Saunders was very responsive to any problems that were revealed, and I always felt like we had a good, safe system.” said Wilton, who said she worked closely with Saunders. “Nobody ever hacked it.” She noted that responding to security problems that arise “is part of the process” with any software. And the software’s age is what makes it so affordable”, she said.

Outcome: No towns have reported any information breaches as a result of the NEMRC system, according to the Vermont League of Cities and Towns. Our security team has already started looking into it and making sure the security vulnerabilities have been filled. They have planned to replace the system and has issued an RFP for that work.