The security flaws that allowed personal data of 780,000 Utah citizens to be stolen were revealed yesterday by the state’s interim IT chief.
Two weeks ago, the state of Utah revealed that hackers had stolen the data, which related to the state’s Medicaid healthcare programme. It said that hackers had first accessed a sever containing the data on March 10th, but had not downloaded any information intil March 30th. The breach was discovered on April 1st.
Yesterday, interim CIO Mark VanOrden outlined the security failures that made the breach possible.
"Ninety-nine percent of the state’s data is behind two firewalls, this information was not," he said, the Deseret News reported. "It was not encrypted and it did not have hardened passwords."
The server had also been placed online by an independent contractor, rather than a system administrator who knew the security protocol to follow, VanOrden said. The contractor had left the server using factory-default logins, something VanOrden said was not "routine".
VanOrden said that the information had also been left sitting on the server for too long, regardless of the security failures surrounding it.
"We’re having staff go through all the servers and databases to identify those that contain personal information and determine if it’s encrypted…Most of the data is not encrypted," VanOrden told the Public Utilities and Technology committee. "We’re evaluating the cost to encrypt all this data and asking whether that makes sense."
Earlier this week, the state’s chief technology officer Stephen Fletcher resigned over the incident. Speaking at a press conference on Wednesday, Fletcher pointed to the increasing difficulty of his former job.
"There has been a huge increase in the number of attacks against state systems — about a 600 percent increase in the last four months — and it is always a difficult challenge to make sure that you have adequate resources there to make sure the attacks are turned away," he said.