AUGUSTA, Maine — Last week a hacker or hackers placed malicious links in the software that operates the legislative website that allows the public to track legislation, and legislative leaders Wednesday directed that the security of all other legislative websites be reviewed and security upgraded.
“There are culprits and criminals on the Internet that look to do things like this,” Scott Clark, director of Information Services for the Legislature told the Legislative Council, the 10 elected leaders of the Legislature. “In the future I can assure you that anything that we develop will be as secure as the homegrown stuff we have, which is quite secure.”
The links could have exposed users’ computers to harm if they clicked on the links, he said. His staff could not track down who placed the links because that sort of information is not collected on a public website, but he believes the links were inserted into the computer code on the site last week.
“There was no personal information on this site, just publicly available information,” said David Boulter, executive director of the council.
Clark said a number of the legislative systems have been created by his staff and are protected by secure firewalls. The problem was in the proprietary software of International Roll-Call, which has a contract with the Legislature to run that public portion of its website.
Clark said that under the contract, the company is responsible for fixing the problem, but Senate President Elizabeth Mitchell, D-Vassalboro, raised questions about the costs the Legislature has incurred as the result of the failure and whether the company will reimburse those costs.
“We haven’t had that level of discussion,” Clark said. He said he will add requirements in future contracts requiring security testing before a contract is made final.
House Speaker Hannah Pingree, D-North Haven, said she was concerned that the breaches at the University of Maine and the Legislature would lead to more problems if hackers believe it’s “easy” to hack a website of Maine government.
“Is there some way to review everything we have got and make sure there are not similar holes in other sites?” she said.
Clark said that as he understood the university breach, it was of servers protected by a firewall, and the hacker had to have been inside the firewall or have breached it to reach the data. He said the bill status website is public and while it has some security features, it is not password-protected like a firewalled site.
The university breach was of servers with personal information of more than 4,000 students who had sought mental health services from the counseling center. Clark said the legislative site that was breached contained no personal data, and the servers that do contain such information are protected by firewalls.
“We reviewed all of our public websites and found they are all secure and did not have the links,” he said.
But Clark told lawmakers that while security and oversight can be improved, there are no guarantees the website will not be hacked again.
“Nothing is perfect,” he said, “There is always somebody out there who is very creative and scheming. But, inside the firewall is much better protected than our public websites are.”
The bill status function is still offline and will not resume operation until improvements are made to the site. The website allows the public to follow legislation during a session as well as providing access to such information as roll calls, committee votes, amendments and fiscal notes.
Clark said he hoped the site will be operating soon, but did not provide an estimate of when it will be operational.