Cyber-hoodlum tripped, fell, landed in Obama's Healthcare.gov server
That's exactly how it happened, honest, says US govt, and no medical records stolen
Officials at the US Department of Health and Human Services (DHHS) have today confirmed that one of the Healthcare.gov servers was hacked.
The system was compromised in July, when an as-yet unidentified miscreant managed to worm his or her way in and install malware. The security breach was spotted and the machine – which was apparently used for testing – has been shut down, according to the government.
"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," a DHHS spokesman told The Wall Street Journal. "We have taken measures to further strengthen security."
The Department of Homeland Security and the FBI are investigating the case and have identified a number of IP addresses that were used by the intruder. Officials say the infected server was used to test code for the website and that it is unlikely hackers were attempting to access healthcare information or that they were state sponsored.
"There is no indication that any data was compromised at this time," DHHS spokesman S.Y. Lee said. "DHS will continue to monitor the situation and help develop and implement precautionary mitigation strategies as necessary."
It appears the attacker was running a scan for vulnerable servers that could be used in a distributed denial of service attack. This particular server was never supposed to be connected to the internet and was using a default password with very low security settings, we're told.
"There was a door left open," a senior DHS official said. "If this happened anywhere other than HealthCare.gov, it wouldn't be news."
The attack was discovered on August 25 after a scheduled computer scan showed the server had been connected to the internet when it shouldn't have been. The malware has since been found and removed.
Now the chairman of the House of Representatives Oversight and Government Reform Committee – Darrell Issa (R-CA) – hopes to quiz Marilyn Tavenner, administrator of Healthcare.gov's Centers for Medicare and Medicaid Services, at a hearing on September 18.
Given the teething problems suffered by Healthcare.gov at its inception, you may have thought the DHHS would be taking better care of its system. Then again, you might say a recent criminal prosecution has left them somewhat short of infosec staff. ®
Sponsored: Becoming a Pragmatic Security Leader