It was an IT nightmare: On April 2, 2012, technicians working for the State of Utah's Department of Technology Services (DTS) discovered that hackers were downloading sensitive personal information about healthcare claimants from a state-run server.
Included in the stolen data were 280,000 records containing Social Security numbers, as well as 500,000 additional records without SSNs but containing other sensitive personal information, such as name, address, or date of birth.
If that wasn't bad enough, the hackers, who appeared to hail from Eastern Europe, had been at their nefarious task since March 30. And their initial contact with the server had taken place on March 10.
After immediately shutting down the server, DTS staff investigated the breach over the next month, while state officials underwent a lengthy process of public apology and education, trying to ensure that people whose data went missing weren't further victimized by imposters phoning them with phony "help."
The state government has offered victims free credit monitoring service, but according to the Deseret News, just 10 percent of the 280,000 whose SSNs were breached are taking the state up on the offer. Still, at a cost of $16 per person per year, the state has already spent at least $448,000 on the service and could potentially end up shelling out $4.5 million.
The second shoe dropped on Tuesday this week, when Utah governor Gary Herbert fired executive director of DTS Stephen Fletcher; replaced him with a new acting director and former colleague, Mark VanOrden; and instituted a new position of Health Data Security Ombudsman, hiring Utah healthcare advocate Sheila Walsh-McDonald for the job.
Stephen Fletcher
Harsh, yes; but according to a statement in yesterday's Deseret News, Stephen Fletcher approved of the governor's action because he was ultimately in charge when the breach took place.
Fletcher also cited the difficulties of keeping data safe these days. "There has been a huge increase in the number of attacks against state systems -- about a 600 percent increase in the last four months -- and it is always a difficult challenge to make sure that you have adequate resources there to make sure the attacks are turned away," he told the press.
[Pssst! Do you think CIOs should take the fall when enterprise data breaches occur? Weigh in on our new poll here.]
Interestingly, Fletcher was slated to appear today as a guest on Internet Evolution Radio. A request for comment from him for this blog was unanswered at press time.
Meanwhile, the new director of DTS has released a more detailed summation of the "multiple mistakes" that put the red carpet down for data thieves to enter Utah's Medicaid Management Information System.
"Ninety-nine percent of the state's data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords," VanOrden told legislators in a meeting yesterday.
Default passwords installed at the factory were still in the system when it was shut down, he noted.
There were other problems: The server had been installed months ago by a contractor, not a staffer as department protocol demands. Also, DTS policy calls for servers like this one to undergo monitoring and a risk assessment -- steps that also weren't taken.
Despite the furor this breach has caused, it is far from unique. According to information posted by the Privacy Rights Clearinghouse, of the 203 data breaches reported so far this year in the US, 103 involved either government or healthcare information. Of that subset, 16 cases were the result of hacking.
The largest hacking of a government or healthcare information source this year in the US occurred in January 2012 at Indiana University, when the online records of 650,000 nationwide participants in a President's Challenge fitness program were breached. It seems no CIOs were harmed, however, in the resolution of that case.
I guess what's an important lesson to take away from this, if I may blow my own horn...is that companies think that they can save money by taking server hosting inhouse. They see what it costs to co-locate or have managed hosting from a hosting provider and they think that they can do it cheaper...well, sometimes they can. But issues like this show that you may not be considering all the costs of bringing your servers inhouse. Like I said in my previous statement, in the 20 years of being in the managed, colocated and network ISP/ASP business, I have never witnessed a breach where customer data was compromised. Not once! And why is that? We have rules, policies and proceedures. Plus we are professionals...it's all we do...we don't fix printers, we don't troubleshoot PowerPoint, we don't do any of the things an inhouse IT does....hosting, that's it...*THAT'S* what you're paying for when you purchased managed hosting. Just because the nephew of the CEO built his first webpage at age 5 doesn't make him an expert. You can't imagine how many so-called professionals don't understand cross-site scripting, or how to prevent SQL injecting...or how to even harden a server! It's not that difficult, but it's not childs play either. You *HAVE* to know what you're doing and you have to have the experience to prepare for *EVERY* contingency.
I've witnessed major customers who think they can bring their stuff inhouse so they leave thinking they're going to save money...the smart ones come back...the arrogant ones end up like these people...
That's why I always say, when money and security is at stake, leave it to the experts...
The damage will unfold as it becomes apparent whose data was taken and what was done with it. And the taxpayers will foot the bill, because this is a government agency.
Great points, tech_ed. I believe that when the new acting IT director faced legislators today he mentioned that it has been tough to get the technicians to understand many pages of policy rules.
But that just illustrates how it's the job of the CIO to make the rules and regulations easier to follow.
Agreed, chuckgregory, that scapegoating is counterproductive. But sadly, I think the governor had to "make an arrest" and deliver someone's head on a platter. As I said in an earlier message, it was high theater designed to appease angry constituents. And no, it won't fix the problem. But surely, it got DTS smacked into shape.
It is too bad that the state prohibits any official for being dismissed. I am not saying that Utah's governor should have fired its CIO. But the law should not shield IT personnel who are truly negligent.
"There were other problems: The server had been installed months ago by a contractor, not a staffer as department protocol demands. Also, DTS policy calls for servers like this one to undergo monitoring and a risk assessment -- steps that also weren't taken."
I've worked for two of the worlds largest tier-1 hosting providers over the past 20 years! I've been involved with both sides of the computer security world for over 35 years! Breaches like this are inexcusable! Regardless of the number of attacks you get on your system, there really is no excuse for not hardening your equipment! As an experiment back in the 90s, we stood up a Windows server with no patches or updates on a public facing network. It took less than 20 minutes for it to be owned by hackers!
It is clear that policy and proceedures were ignored in this case. And since policy and proceedures come from the top down, the highest head must be sacrificed for not ensuring that not only these policies and proceedures be followed, but that the management staff he put in place were not compitant enough to make sure that the employees followed proceedure!
Following simple hardening steps is all it takes to keep the baddies away from your data....it really shouldn't be that hard!
It seems that the ripple effects are still to play out, cjon316. Those whose personal information was breached have been told they must track their online credit activity very closely for the next while, since their SSNs etc. are likely to wind up in the wrong hands, having been sold by the hackers.
And yes, the server was taken offline immediately when the breach was discovered.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Facebook and Twitter are great for posting cat pictures. But are people really using social media for life-changing communications? Like, if a hurricane comes by and blows down their house?
In a standout presentation at the Jefferies 2013 Global Technology, Media & Telecom Conference in New York this week, the UK government talked about becoming a "very intelligent client."
A consumer business would have to be crazy or desperate to change call-center software in December, the peak of the holiday season. But that was exactly Positec's position.
To help enterprises deploy software faster for mobile, social, big-data, and cloud applications, IBM this week acquired development tools vendor UrbanCode.
Internet Explorer seems like a relic of the 90s, like parachute pants and Friends. But that's just me. I'm a Chrome guy, and before that I used Firefox.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
The very low-tech "scrum" project technique introduces "crowd talking" to projects and also sets the entire crowd to problem solving. So far, these new social-media-style meetings appear to have supercharged project execution.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
