Utah breach 10X worse than originally thought
SSNs on 280K exposed; names, birth dates of another 500K compromised
Computerworld - The scope of a data breach involving a Medicaid server at the Utah Department of Health is much worse than originally thought. State officials now say that close to 280,000 Social Security Numbers may have been exposed in the incident instead of 25,000, as originally believed.
Less sensitive personal data such as names, birth dates and addresses of another 500,000 people may have also been compromised in the breach, state officials said today.
Today's announcement marks the second time in three days that Utah state officials have upped their estimates of a March 30 intrusion into a server containing Medicaid claims data on Utah residents.
According to the Utah Department of Technology Services (DTS) and the Utah Department of Health (UDOH), the breach stemmed from a configuration error at the user authentication layer. The error allowed attackers, believed to be operating out of Eastern Europe, to bypass the network, perimeter and application level security controls that were in place to protect the server.
Initially, state officials said the intrusion had allowed improper access to about 24,000 claims records. Each record could include Social Security Numbers, names, birth dates, addresses, tax identification numbers and treatment codes.
On Friday, the two organizations released another statement saying forensics investigations showed the breach to be larger than initially thought. In addition to Medicaid data, the breached information included data about recipients of the state's Children's Health Insurance Plans (CHIP). And rather than 24,000 claims, the hackers had actually accessed 24,000 files, each one of which potentially contained personal data on hundreds of individuals.
Early on Monday, Utah state officials changed their numbers again. In a statement, DTS and UDOH officials said ongoing investigations showed that the compromised data included Social Security Numbers belonging to about 255,000 people whose providers had contacted the UDOH to verify their Medicaid eligibility.
"The victims are likely to be people who have visited a health care provider in the past four months," the statement said. "Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients."
The state has begun notifying affected individuals about the compromise. Those who had their SSNs stolen will receive one year's worth of free credit monitoring services.
Attacks that take advantage of weak authentication mechanisms continue to be a major problem for enterprises. Though the issue is well understood, many companies with otherwise sound defenses continue to get breached because of their reliance on default or easy-to-guess passwords and knowledge-based authentication (KBA) mechanisms for controlling access to critical network assets and systems.
A recent breach at payment processing firm GlobalPayments Inc. that exposed debit and credit card data belonging to about 1.5 million people is thought to have resulted from an authentication vulnerability.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts