The Social Security numbers of more than 2.5 million Marylanders were exposed last year due to insufficient safeguarding by the Department of Public Safety and Correctional Services, state auditors reported.
Auditor Thomas J. Barnickel said no one's identity appeared to have been stolen.
The corrections department maintains the state's Sex Offender Registry Database and the fingerprint identification system.
Barnickel declined to say whose information was exposed. The state housed 21,504 inmates in 2013, the most recent year for which data was available on its website.
Auditors found that the corrections department did not have security to prevent unauthorized changes to its databases without the detection of management, and did not document or monitor changes to its database and security.
"Accordingly, assurance was lacking that erroneous or unauthorized activity, which could affect the integrity of DPSCS' data files would be detected by management," auditors wrote.
The department's network was not properly secured — a finding repeated from the state's last audit.
Kevin Combs, the department's chief information officer, wrote in his response that the department agreed with all the auditors' recommendations to remedy the failures listed.
The department has completed many of the fixes already, he wrote. They included an inventory check of all sensitive information to determine how much of it needs to be retained and delete any that doesn't.
All sensitive information will either be moved to an encrypted database or be better protected with added encryption software by Oct. 1, 2018, Combs wrote.
"Encryption solutions are dependent on the Department's fiscal ability to acquire the needed software," he wrote.
By July, he wrote, the department will document all direct modifications to its significant data. But he anticipated it could cause "performance issues which we will document if changes need to be made affecting what is being logged."
A new security review process has been put in place, he said, and will be conducted every six months.
The unsecured network was in the process of being upgraded and firewalls were being tightened to allow people to access only the information needed when the audit was performed, Combs wrote.
The department will add an intrusion detection prevention system to keep out encrypted Internet traffic and prevent third parties from accessing the network, as recommended, he wrote.
Stephen T. Moyer, secretary of public safety and correctional services, wrote that his department appreciates "the constructive findings and recommendations that were made as the result of this audit."
He pledged to closely monitor the information technology division's corrections "to prevent any repeat audit findings in the next audit."