A little over a month ago, the largest data breach in Utah history resulted in the compromise of Social Security numbers of some 280,000 Medicaid and Children’s Health Insurance Plans users and “less sensitive” information on 500,000 more of them.
The data was located on a Utah Department of Technology Services’ computer server, and is believed to have been accessed by Eastern European hackers.
At the time, the Utah Department of Health stated that a configuration error that occurred at the password authentication level allowed the hacker to circumvent DTS’s security system, but more details have been revealed on Wednesday after a thorough investigation of the incident.
“Two, three or four mistakes were made,” stated Mark VanOrden, the new director of Utah’s Department of Technology Services. “Ninety-nine percent of the state’s data is behind two firewalls, this information was not.”
According to Deseret News, the compromised server was installed by an independent contractor over a year ago, but risk assessment was not performed prior to it being used, and the contractor failed to change the factory-issued default passwords on it.
The final mistake was leaving the information on it unencrypted.
It seems that there have been no attempts of using the stolen information to fraudulently obtain loans or credit cards so far, even though only ten percent of the affected individuals have subscribed to the free credit monitoring service that has been offered them.
But whatever else it might be, this breach has been a great learning opportunity for people in charge of security for various US state and federal agencies.
VanOrden stated that he plans on implementing a security checklist that will have to be followed every time information stored on any one of the state’s servers is altered, and says that employees who are caught accessing information not required for doing their job will be summarily dismissed.