The Wall Street Journal is reporting that a hacker managed to break into the US Government’s HealthCare.gov health insurance comparison website in July, and managed to implant malware.
The site was hacked back in July, but they only found out a week ago.
Before you start to have heart palpitations, take a deep breath and take some comfort in the news that investigators are claiming that the personal information of consumers does not appear to have been stolen or compromised.
Of course, that’s often a difficult thing to determine. After all, if the Mona Lisa gets stolen from the Louvre it’s pretty obvious - there’s a gap in the wall where the painting used to hang.
Data is different though. When it’s seized by hackers, you can’t tell that anything has been taken as they make a copy - they don’t typically destroy the version on your server. After all, that wouldn’t make sense. It would simply make it more obvious that a breach had occurred…
So we have to hope that the Department of Health and Human Services is right when it says in its review of the security breach it determined that the hacked server “did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted.”
The last part of that statement is interesting. The HealthCare.gov website was “not specifically targeted”.
To my ears that sounds like HealthCare.gov got hit as part of an attack which many have hit many websites, rather than by hackers who were hell bent on infecting the high profile ObamaCare site.
Perhaps it was the case that HealthCare.gov had a security flaw on it which was common with other sites on the net, and it just happened to be one of many sites which were exploited and had malicious code uploaded to them.
If so, in all likelihood, it may have been that the malicious code that was implanted into HealthCare.gov’s servers was designed to infect other computers on the web, perhaps as they visited third-party sites that surreptitiously ran the malicious code embedded on the ObamaCare website.
Whether specifically targeted, or hit in the crossfire of a more widespread attack, you don’t want to hear that hackers have managed to breach the US Government’s health insurance website - a website that stores highly sensitive information about American citizens including their Social Security numbers, financial details and the names of family members.
The news failed to come as a shock to some… For instance, security expert Dave Kennedy testified to Congress in January about security concerns he found with the site.
His response to the news that hackers had uploaded malware to HealthCare.gov?
I am completely shocked that healthcare dot gov was hacked. Completely surprised…/sarcasm http://t.co/Ebum4eklM2
— Dave Kennedy (ReL1K) (@HackingDave) September 4, 2014
It’s hard to be definitive, as details are currently sketchy, but the news of HealthCare.gov’s latest woe only adds to the bad news that has revolved around the site since its launch in October last year, when it was crippled by numerous technical problems and became the butt of TV talk show jokes.
Let this be a lesson to websites big and small - you need to be thorough in your defences, and keep your guard up, to have any chance of preventing something similar happening to you.