The Wall Street Journal is reporting that a hacker managed to break into the US Government’s HealthCare.gov health insurance comparison website in July, and managed to implant malware.
The site was hacked back in July, but they only found out a week ago.
Before you start to have heart palpitations, take a deep breath and take some comfort in the news that investigators are claiming that the personal information of consumers does not appear to have been stolen or compromised.
Of course, that’s often a difficult thing to determine. After all, if the Mona Lisa gets stolen from the Louvre it’s pretty obvious – there’s a gap in the wall where the painting used to hang.
Data is different though. When it’s seized by hackers, you can’t tell that anything has been taken as they make a copy – they don’t typically destroy the version on your server. After all, that wouldn’t make sense. It would simply make it more obvious that a breach had occurred…
So we have to hope that the Department of Health and Human Services is right when it says in its review of the security breach it determined that the hacked server “did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted.”
The last part of that statement is interesting. The HealthCare.gov website was “not specifically targeted”.
To my ears that sounds like HealthCare.gov got hit as part of an attack which many have hit many websites, rather than by hackers who were hell bent on infecting the high profile ObamaCare site.
Perhaps it was the case that HealthCare.gov had a security flaw on it which was common with other sites on the net, and it just happened to be one of many sites which were exploited and had malicious code uploaded to them.
If so, in all likelihood, it may have been that the malicious code that was implanted into HealthCare.gov’s servers was designed to infect other computers on the web, perhaps as they visited third-party sites that surreptitiously ran the malicious code embedded on the ObamaCare website.
Whether specifically targeted, or hit in the crossfire of a more widespread attack, you don’t want to hear that hackers have managed to breach the US Government’s health insurance website – a website that stores highly sensitive information about American citizens including their Social Security numbers, financial details and the names of family members.
The news failed to come as a shock to some… For instance, security expert Dave Kennedy testified to Congress in January about security concerns he found with the site.
His response to the news that hackers had uploaded malware to HealthCare.gov?
https://twitter.com/HackingDave/status/507636738295353344
It’s hard to be definitive, as details are currently sketchy, but the news of HealthCare.gov’s latest woe only adds to the bad news that has revolved around the site since its launch in October last year, when it was crippled by numerous technical problems and became the butt of TV talk show jokes.
Let this be a lesson to websites big and small – you need to be thorough in your defences, and keep your guard up, to have any chance of preventing something similar happening to you.
No surprise they were hit. If this wasn't targeted and still got in I can only imagine how many others are in. They need to have Intellegence agency level security with multiple AV's scanning every document, high powered dynamic analysis, ddos, the works.
Doesn't sound like they have much of that.
"Before you start to have heart palpitations, …"
Thanks Graham. Well done, as always.
As for the situation, well hardly surprising that any government site gets attacked. Even low profile servers (like mine) see attack attempts a lot. Some are better at others with filtering and unfortunately governments are on the low end (hell, I've seen foreign government computers attempt to relay mail through my server. To this day it amuses me when I think of it even though it is bad in the end). Will they learn? I doubt it. NASA is a good example of how much they get it (the repeated claims that they'll be fixing things they already were supposed to have fixed years before).