After the bevy of problems Healthcare.gov encountered in its first few months of life, dumping one more onto the pile shouldn't phase you all that much, right? Well, not if that hiccup is actually a gaping vulnerability—and one that can
grant hackers access to over 70,0000 private records in just four minutes, at that.
David Kennedy, a white hat hacker and TrustedSec CEO, has been warning anyone who would listen since November that the flawed government website was highly insecure. Now, after using passive reconnaissance, "which allowed [him to query and look at how the website operates and performs,"
Kennedy revealed that he was able to access 70,000 records in under four minutes, granting him access to information such as names, social security numbers, email addresses, and home addresses just to name a few. What's more, he didn't even technically have to hack into the website at all.
In talking to Fox News Sunday, Kennedy explained what he believed to be the source of the problem:
The problem is if you look at the integration between the IRS, DHS, third party credit verification processes, you have all of these different organizations that feed into this data hub for the healthcare.gov infrastructure to provide all that information and validate everything. And so if an attacker gets access to that, they basically have full access into your entire online identity, everything that you do from taxes to, you know, what you pay, what you make, what DHS has on you from a tracking perspective as well as obviously, you know, what we call personal identifiable information which is what an attacker would use to take a line of credit out from your account. It's really damaging.
Still, Teresa Fryer, the chief information security officer for the Centers of Medicaid and Medicare Services, testified before the House Oversight Committee claiming that cybersecurity testing had be successfully completed and that "there have been no successful attacks on the site."
Of course, claiming that there's been no attacks on the site doesn't inspire much confidence when the information is accessible without ever entering the site in the first place.
Update 5:00PM EST:
David Kennedy has taken to the TrustedSec website to clarify that it was not, in fact, 70,000 records that were swiped. Rather, that number was simply "tested for as an example through utilizing Google's advanced search." Kennedy's full update follows:
There's been a few stories running around in the media around accessing 70,000 records on the healthcare.gov website. Just to note on this, we never accessed 70,000 records nor is it directly on the healthcare.gov website (a sub-site for the infrastructure). The number 70,000 was a number that was tested for as an example through utilizing Google's advanced search functionality as well as normally browsing the website. No dumping of data, malicious intent, hacking, or even viewing of the information was done. We do not support the statements from the news organizations. From a previous blog post, the information shown in the python script was sanitized and not used through Google scraping (urllib2 python module). We've reached out to the news agencies to clarify as these were not our words.