January 17, 2018

Breach at HealthCare.gov Raises Security ISSUES

Federal officials announced last Thursday that a hacker succeeded in breaking into a server which was part of the HealthCare.gov website and installed malicious software. A subsequent investigation however, revealed that no consumer data was viewed or stolen during the attack. Read: US Government Personnel Network Hacked; Points to China
While the breach provides fresh talking points to lawmakers who oppose the Affordable Care Act that mandated the site's creation, it may also serve as a wake-up call to other large organizations that are still behind the curve in protecting consumer data, as this breach comes on the heels of other high profile incidents such as last year's breach involving Target and the more recent breach at Home Depot.
According to federal officials, the hacker gained access to a test server used by programmers and that contained no sensitive information. The server was connected to other machines which house more sensitive information, but those servers are said to have much tighter security measures in place. Officials acknowledged that it may have been theoretically possible for the hacker to move through the network and try to view more sensitive information. 

"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted. We have taken measures to further strengthen security," according to a statement issued by the U.S. Department of Health and Human Services.
The evidence indicates that the hacker intended to install malware on the server and use it for future DoS attacks. In these types of attacks hackers will take over machines and use them to flood targeted websites with massive amounts of traffic with the intention of overloading the site and bringing it down. The hacker was able to easily gain access to the server because it was still configured using a default manufacturer assigned password. The oversight on this particular server was attributed to the fact that the server was never intended to be connected to the internet. 
The production site holds personal data such as names, Social Security number and consumer financial data which would be of great value to hackers. The HHS undertakes daily security scans, and drill-hacking tests and contracts with the Blue Canopy Group LLC for quarterly security audits.
Share This
Previous Post
Next Post

This Post was publish by the above Author