A high-ranking IT official in Utah recently resigned after “human error” led to a massive data breach affecting hundreds of thousands of people in the state. Here’s what went wrong.
The breach occurred in late March, after cybercriminals gained access to a server at the Utah Department of Technology Services (DTS) containing data for the state’s Medicaid program. In total, information about roughly 780,000 people was taken.
That includes 280,000 people who may have had their Social Security numbers compromised, along with 500,000 others who may have had less sensitive information — such as names and birth dates — accessed by hackers.
How did all that information get stolen? The breach wasn’t carried out by sophisticated malware, but rather by “two, three or four mistakes” made when configuring the server, admitted Mark VanOrden, interim director of DTS. He took over after Stephen Fletcher, the previous director, resigned due to the incident.
Some of the problems occurred because IT staff didn’t follow proper policy while upgrading the server. VanOrden recently told the Deseret News about the mistakes that led to the breach:
1. Default passwords were kept
The server that was breached was initially installed by an independent contractor, which was unusual for the department, VanOrden said, and the normal policies for configuring and testing security and conducting a risk assessment followed.
One huge step that was skipped: changing the passwords from the factory-issued defaults, which is actually a fairly common IT mistake, according to one recent study.
2. Missing firewall
While 99% of the department’s data is kept behind two firewalls, VanOrden said, the data stolen was not. Apparently, the data wasn’t protected as the server was being upgraded.
3. Too much unencrypted data
VanOrden also said that the server held old data that should have been deleted. Also, it wasn’t encrypted, so the criminals were able to access the information.
One big lesson for IT: It’s important to develop and follow strict change management policies. Many breaches occur because companies configure systems properly, but fail to make sure those settings are carried over when a machine is upgraded or another change is made.
Also, IT should regularly audit security configurations, take inventory of what data is being held, and delete what is no longer needed.