Last week, the director of Utah’s Department of Technology Services (DTS) resigned in the wake of a massive data breach that exposed the personal information of nearly 800,000 people to hackers believed to have been in Eastern Europe.
The breach did not happen due to sophisticated malware, however. Instead, a series of configuration mistakes during an upgrade left the server wide open to attackers, who downloaded data from the server March 30.
The incident serves as a reminder of just how costly configuration errors can be for organizations. In the case in Utah, interim DTS director Mark VanOrden told theDeseret News about a series of errors that had exposed the server as the state upgraded its Medicaid Management Information System. The server, he explained, was installed by an independent contractor and was not protected by a firewall during the upgrade. In addition, the server used factory-issued default passwords, which he said is not “routine.”
“Two, three or four mistakes were made,” VanOrden was quoted as saying. “Ninety-nine percent of the state’s data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords.” Read More