The Mississippi Office of State Auditor has released a report showing nearly one third of state government agencies are vulnerable to hacking after not meeting cybersecurity assessment requirements.
State Auditor Shad White said Tuesday that analysts from his office worked with the Mississippi Department of Information Technology Services to conduct the report. It shows that a significant number of state agencies have not met a legal requirement to conduct a comprehensive, third-party cybersecurity assessment called a “penetration test.” Under state code, agencies must contract with an outside party at least once every two years to test their system for weaknesses to prevent hackers from gaining personal information of citizens.
“This is a big, big deal to Mississippians, because state government has your personal information. State government has information that, if leaked, could lead to your identity being stolen,” White explained. “Think about all the details that Medicaid and the Department of Revenue have.
“We talk about these findings not because it’s fun to highlight how vulnerable state agencies are but because this has got to be fixed so that Mississippians’ personal data doesn’t get out in the open.”
The report found that 29% of state agencies had not met the cybersecurity requirements by September 2025. It did not disclose which agencies have not complied, more than likely to not tip cyber criminals off to which agencies are currently vulnerable.
Even though White is concerned with personal information getting stolen, the reason his office released the report is the prospect of taxpayer dollars being lost in the case of ransomware, or a type of malware that encrypts data until a ransom is paid.
“In this scenario, a hacker comes in, gets into your system, locks up your computers and email system, and then, the hacker will send a message to the administrator saying if they want access to the system again, they have to pay $50,000 in Bitcoin,” he used as an example of ransomware. “[Agencies] basically have two options then: Restart the entire system and lose all of the data or pay them the money, which is taxpayer dollars down the drain.”
White said the goal of the report is to encourage agencies to get penetration tests done before being the next to fall victim to a cybercrime. Over the summer, an online meeting of the Mississippi Opioid Settlement Fund Advisory Council hosted by the Mississippi Attorney General’s Office was hacked. Other recent examples of cybercrimes involving government offices include a 2024 data breach that disrupted the Starkville-Oktibbeha Consolidated School District and a 2023 ransomware attack on Hinds County that prevented citizens from registering vehicles or completing real estate transactions.
The attack in Hinds County cost taxpayers at least $600,000 to resolve, according to White.
“There are ways to prevent this. It’s just doing your job and making sure your system is pen tested. The federal Department of Homeland Security actually will do this for state agencies for free,” he said, adding that the wait time for his office to use DHS for its penetration test was a few months.
While White is calling for all state agencies, and even local government offices, to make sure their systems are not vulnerable to cybercrimes, he doesn’t believe the report’s findings are a product of negligence among agency heads, but more so oversight errors.
“Here’s the challenge of being a state agency head in Mississippi: There’s a ton of regulations you have to comply with, and they’re hidden all over the code,” he said. “Some of these state agencies simply don’t know or they forget that there is a rule they have to go out and get tested every few years. Some of them maybe had a senior IT person retire and maybe no one picked up the baton to get the system tested.”
