The Healthcare.gov website has had its fair share of troubles since launch, and one that has been persistent among them is claims of security vulnerabilities. TrustedSec’s CEO David Kennedy has been vocal about these issues, though little has been done to address them. Perhaps to make a bigger point, he took advantage of the vulnerability in recent times and managed to access 70,000 records over the course of four minutes, saying, “Seventy-thousand was just one of the numbers that I was able to go up to, and I stopped after that.”
Kennedy has long been preaching the vulnerability song, and when the website underwent a fix, he stated that it was more vulnerable than before. He further elaborated on his accessing of records, saying, “[it was] a rudimentary type attack that doesn’t actually attack the website itself, it extracts information from it without actually having to go into the system.” The CEO isn’t the only hacker to publicly confirm the security issues, however, with Kevin Mitnick, Ed Skoudis, and more having issued warnings of an impending security breach if the problems are not corrected.
Said Mitnick in a signed statement alongside fellow hackers: “It’s shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise or access to consumer proprietary information.”
Despite these warnings, the government has maintained Healthcare.gov is secure and undergoes regular security testing. Whether this latest breach performed by Kennedy will spur a proper review and corrections of the issue at hand is yet to be seen (and a cynic might express ample doubt at this point), but all signs point towards a ticking clock counting down to a major — malicious — data breach.