Note: Is your hosting provider secure? Read all about Fibernet's data center security.
Hackers breached the Utah Department of Technology Services, stealing Social Security numbers and personal information from thousands of clients.
According to the Utah Department of Health, Utah medical records were compromised during a cyber attack over the weekend beginning March 30th, 2012. Officials originally announced that approximately 25,000 records had been stolen, but this has recently been corrected to be 25,000 files, each file containing as many as hundreds of records each. It is estimated that up to 280,000 Social Security numbers have been taken, and less sensitive personal information has been taken from as many as 500,000 others. This information includes names, dates of birth, addresses, national provider ID numbers, medical billing codes, and provider taxpayer ID numbers.
The victims of this breach are the beneficiaries of Medicaid and the Children's Health Insurance Program (CHIP) who have visited a Utah clinic sometime within the past year. They have been notified by the Health Department, and have been offered free credit monitoring for the next year to protect against any exploitation of this information. However, up until now only one in five affected citizens has signed up for the free monitoring. Since children do not have bank accounts or credit cards, the state is collaborating with TransUnion credit bureau to effectively freeze the minors' credit until they come of age. All have been advised to closely monitor their credit reports and bank accounts, and to report any possibility of exploitation.
These files are stored in servers maintained by the Utah Department of Technology Services (DTS) based in Salt Lake City. The breach began on Friday, March 30th, after normal office hours, so nothing was suspected as amiss until the following Monday, when it was quickly shut down. Though the department's servers have multiple layers of security, the hackers found a gap in the armor – an insecure password. Further details have not been made public. Common errors as far as passwords are concerned include using default passwords that come with software or equipment, using simple passwords without numbers or symbols, and not changing passwords regularly.
Security requires constant attention, and can't be taken for granted. In this case, a very small vulnerability opened the door to allow the theft of the personal information belonging to the better part of a million people. And while it isn't certain what measures the DTS had in place, it's clear that it wasn't good enough. They report successfully repulsing 1.2 million malicious attack attempts every day, yet it may only take one crack in the dam to flood the valley. This attack should serve as a wake-up call to everyone who deals with online hosting.
Thankfully, there are ways to know whether a hosting provider is trustworthy. There are several kinds of certifications that a service provider can acquire as proof of their business and technical practices. One of the most important and required certifications is Payment Card Industry Data Security Standard, or PCI DSS compliance. The purpose of PCI is to protect cardholder information so as to reduce credit card fraud. These controls were introduced in 2004, and the current version, 2.0, came out in 2010. All organizations that handle payment card data must be PCI compliant, or else face fines from credit card companies.
Note: Not all security systems are built equal. See what makes Fibernet security a cut above the rest!
A more recent set of controls is the Statements on Standards for Attestation Engagements number 16, or SSAE-16. These statements are issued by the American Institute of Certified Public Accountants (AICPA). According to their Code of Professional Conduct, section 16 is a set of controls and standards for organizations that provide services that are relevant to users' control over financial reporting. The SOC 1 report, which must be attested by a third-party accounting firm, attests whether such a service organization is in compliance with these standards.