No evidence found that personal data was exfiltrated

Sep 5, 2014 20:50 GMT  ·  By

On Thursday, the congressional staff was briefed by the Health and Human Services (HHS) about the systems of the HealthCare.gov website being breached in July.

The attacker planted malware that allowed access to a server used for testing code for the website, according to the sources of Wall Street Journal, who reported the news first.

Although the breach occurred in July, it was discovered as recently as August 25, and an immediate investigation was deployed in order to determine the damage.

According to the investigators verifying the affected systems, no personal information of any of the millions of subscribers was accessed by the threat actor because it was stored on a different server.

Furthermore, the malware was not designed to siphon information but to create a denial-of-service condition against other websites.

An undisclosed HHS official, talking to Business Insider, said that the breach was discovered as a result of an anomaly in the security logs of the impacted server, noticed by the security team.

Bloomberg reports that the attacker gained access to the server due to improper protection measures that consisted only in a default password. Because it was a test system not connected to the Internet, the officials say that the attack was not targeted.

“There is little that separates test machines from production servers and even DMZ (demilitarized zone or perimeter network) environments for that matter, especially in virtualized and cloud environments,” said via email Eric Chiu, president and co-founder of HyTrust cloud control company.

“A simple click of the button can connect the wrong system to the Internet exposing potentially sensitive data to the outside world. In today's dynamic world, policy-based administrative controls become critical to ensuring the safety of our data,” he added.

Even though the incident affected a computer system not facing the Internet, it is connected to a network of computers that can be accessed online. Moreover, malware can spread across the network and reach machines that store highly sensitive information, especially in this case.

This goes to show the importance of internal auditing and proper security, which is as strong as the weakest link in the chain.

“The attack on Healthcare.gov is yet another example of the confluence between complexity of infrastructure and lack of attention on information security. Regardless of the numerous warnings and previous issues, the basic steps to understand the environment and apply basic security controls were overlooked,” said Brandon Hoffman, CTO at RedSeal in an email message.