The Wall Street Journal is reporting that a hacker managed to break into the US Government’s HealthCare.gov, a health insurance comparison website in July 2014, and managed to implant malware. The WSJ reported that though the site was hacked and infiltrated by the attackers the webmasters / security team of the site came to know about the hack only a week ago. The attack was noticed by federal employees on Aug. 25. Hackers downloaded malicious software onto a test server of HealthCare.gov as part of a broader denial-of-service attack, intended to cripple other websites. In such an attack, hackers infect hundreds or thousands of computers, called botnets, with malware and then command those computers to command the botnet traffic to a particular website and DDoS it to eternity.
It is some respite for the general public using it and the security team managing it, the investigators and Obama Administration, investigating into the incident have ‘claimed’ that the personal information of consumers does not appear to have been stolen or compromised. However the investigators are just claiming as of now, so we have to hope that the Department of Health and Human Services is right when it says in its review of the security breach it determined that the hacked server “did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted.”
The last part of that statement is interesting. The HealthCare.gov website was “not specifically targeted” but it is hard to believe the claims as of yet. Readers may note that just week earlier, a hospital operator in Tennessee said that Chinese hackers had stolen personal data for 4.5 million patients.
It’s quite unclear whether HealthCare.gov got hit as part of an attack which many have hit many websites, rather than by hackers who were hell bent on infecting the high profile ObamaCare site.
Perhaps it was the case that HealthCare.gov had a security flaw on it which was common with other sites on the net, and it just happened to be one of many sites which were exploited and had malicious code uploaded to them.
If so, in all likelihood, it may have been that the malicious code that was implanted into HealthCare.gov’s servers was designed to infect other computers on the web, maybe, perhaps as they visited third-party sites that surreptitiously ran the malicious code embedded on the ObamaCare website.
Whether specifically targeted, or hit in the crossfire of a more widespread attack, you still don’t want to hear that hackers have managed to breach the US Government’s health insurance website – a website that stores highly sensitive information about American citizens including their Social Security numbers, financial details and the names of family members.
The news failed to come as a shock to some… For instance, here is security expert Dave Kennedy’s tweet to the news that hackers had uploaded malware to HealthCare.gov!
I am completely shocked that healthcare dot gov was hacked. Completely surprised…/sarcasm https://t.co/Ebum4eklM2
— Dave Kennedy (ReL1K) (@HackingDave) September 4, 2014
It’s hard to be definitive, as details are currently sketchy, but the news of HealthCare.gov’s latest woe only adds to the bad news that has revolved around the site since its launch in October last year, when it was crippled by numerous technical problems and became the butt of many a stand up comedian and TV talk show jokes.