The first hacker attack on the ObamaCare federal exchange website – at least, the first one the Administration is aware of, and willing to admit to – happened in July, according to a report in the Wall Street Journal. Reportedly one of the test servers got hacked, and while some malware was uploaded, we are assured no data was stolen.
(Stop laughing about the “test servers.” They do test HealthCareDotGov nowadays, although that was evidently too much to ask before the damn thing launched.)
Health and Human Services didn’t become aware of the attack until last week. Their description of the event is a little… odd:
An HHS official said the attack appears to mark the first successful intrusion into the website, where millions of Americans bought insurance starting last year under the Affordable Care Act. It raised concerns among federal officials because of how easily the intruder gained access and how much damage could have occurred.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,” the Department of Health and Human Services said in a written statement. “We have taken measures to further strengthen security.”
The attack comes as the federal government and insurance companies prepare for open enrollment, which begins Nov. 15. It is likely to be seized on by Republican lawmakers, who oppose the law, in fall campaigns as another sign of the health law’s flaws. HealthCare.gov suffered from crippling technology problems when it launched in October, though the government has since improved the site.
Well, lucky thing this mysterious intruder confined his nefarious activities to a test server, politely declined to steal any of the data that was on it, and settled for just dropping off a virus or two. No reason to worry about what might happen during the next open enrollment period!
As an insurance enrollment portal, HealthCare.gov stores deeply personal details on Americans, including Social Security numbers, financial data and names of family members. None of that appeared to gain the still unknown hacker’s interest, officials said.
Rather, investigators found that in July, the intruder did just one thing: install malware on a HealthCare.gov server so it could be used in future cyberattacks against other websites, federal officials said. Hackers often take over troves of computers and servers to direct mischief traffic at websites. The rush of traffic, known as a denial of service attack, overwhelms the site and knocks it offline.
Such types of cyberattacks are considered a nuisance and, if discovered at a private company, it is likely the firm wouldn’t disclose the incident, cybersecurity attorneys have said.
“If this happened anywhere other than HealthCare.gov, it wouldn’t be news,” a senior DHS official said.
Yes, I guess if it happened anywhere other than the bug-riddled website millions of Americans will be compelled by law to use, after ObamaCare kills their current insurance coverage, it might be less of a big deal. Hey, the live version of that ObamaCare website wouldn’t happen to be connected to a lot of other sensitive government systems, would it? Why, yes, it is.
Assuming that the HealthCareDotGov hacker just wanted to fool around with some “nuisance” denial-of-service attacks is a rather large jump. I don’t know if the author of the WSJ article made that assumption, or if it was his contacts at the Department of Health and Human Services. (I notice the official statement from the Department of Homeland Security says “there is no indication that any data was compromised at this time.“)
As for that comment in the WSJ about how chillingly easy the intrusion was, get a load of this:
Investigators found that the hacker was scanning both federal and private websites for a certain type of server that the person would then hack. This suggests the hacker wasn’t targeting the health-care website, the official said.
Washington officials said they are concerned that an intruder gained access to the HealthCare.gov network through a basic security flaw. The server accessed had such low security settings because it was never meant to be connected to the Internet, the HHS official said. When the hacker broke in, it was only guarded by a default password, which often is easy to crack.
“There was a door left open,” the official said.
So the test server for the most expensive and under-performing website in history was protected less thoroughly than the average cat blog. Nice. Not that some of the big private-sector hacking stories we’ve been hearing lately haven’t included some rather appalling security lapses, but you’d think our overstaffed, overpaid, overfunded mega-government could do better than this. Please, God, tell me that default password wasn’t “password.”
Update: I originally wrote that HealthCareDotGov was protected “about as well as the average cat blog,” but that’s really unfair to cat bloggers, so I have changed the reference. Apologies to anyone who spent less than $1.2 billion on their website and was offended.
Another thought that occurs to me about the hacking of the HealthCareDotGov test servers: the miscreants might not have made off with data (although I’m not sanguine about the ability of anyone involved with ObamaCare to detect such a theft if it occurred) but they’ve learned plenty about the code structure of the live server, haven’t they?
As for whether there was valuable data to be stolen on the test server – well, obviously there was, or the Obama Administration would have immediately said there wasn’t. They probably test the code using old copies of the data from the live servers.