Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


9 Lessons From Utah Data Breach

Breach of unencrypted data affected 28% of the state's residents; one in 10 had Social Security numbers stolen. How can you avoid such an epic fail?

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
How bad was the March 30 data breach involving Utah residents?

By current counts, 500,000 (18%) of the state's 2.8 million residents, including children, had their health data compromised. In addition, another 280,000 residents (10%) had their Social Security numbers breached.

The incident is smaller in size than last year's data exposure of 3.5 million records in Texas, which were managed by the Texas comptroller's office. But the two incidents suggest that many government agencies--not to mention businesses--are still learning data breach prevention basics only after sensitive information gets exposed.

How can other organizations prevent a breach of Utah-like proportions? Start here:

1) Get serious about breaches before you're breached. "The good news, if there is any, is that Utah is now Very Serious about Identity Theft, launching its new IRIS: Identity Theft Reporting Information System in response," said Gary Warner, the director of research in computer forensics at the University of Alabama at Birmingham, in a blog post. "What will it take for the other states to get serious about identity theft?"

2) Create a post-breach response plan. For the best results, treat breaches as an eventuality, and ensure that a breach response plan is in place in advance. Did Utah have such a plan in place? The relative slowness of the breach response suggests otherwise. Notably, Utah governor Gary R. Herbert last week announced that he'd created and filled a new position--data security ombudsman--to help anyone affected by the data breach. "They will focus on providing individual case managemet (sic), credit and indentity (sic) theft counseling, and community outreach," according to a data breach information center that's been created by the state's health and technology departments.

3) Keep residents out of the crosshairs. In a speech delivered last week, Gov. Herbert likened the state's citizens to soldiers who were being directly attacked by identity thieves. "The state of Utah must restore the trust placed in it," he said. "Cyber-security is the modern battlefront and we are all enlisted--you, me, our state agencies, the legislature--all of us have a critical role to play." Then again, if the state had put a better data breach prevention plan in place, the governor wouldn't have to reach for military metaphors; the information would simply be safe. On the plus side, however, the state has now brought in a third-party auditor to assess all of its systems.

4) Ex-CIO reports attack volume difficult to manage. Did the state budget enough to maintain proper levels of information security? Last week, the governor announced that Stephen Fletcher, executive director of the Department of Technology Services, had resigned. Fletcher also told Deseret News that he took full responsible for the breach, since it "took place under my watch."

But trying to maintain a perfect, breach-free record is getting increasingly difficult. "There has been a huge increase in the number of attacks against state systems--about a 600% increase in the last four months--and it is always a difficult challenge to make sure that you have adequate resources there to make sure the attacks are turned away," Fletcher said.

5) Beware rogue servers, motivated thieves. When it came to the breach, Fletcher told Deseret News that "99% of the state's data is behind two firewalls, this information was not" and furthermore that the data "was not encrypted and it did not have hardened passwords." He said that criminals--believed to be from Eastern Europe-- were able to steal the information via a single health department server, which appeared to have been rolled out without following the state's own information security protocols. The state has said it's continuing to investigate employees who might have been involved, and at least one state lawmaker has questioned what he sees as a high level of turnover in the technology department.

6) Breaches might involve more than "customers." Is your business storing too much data? Utah has warned residents that "a substantial amount of people who have no history with either the Medicaid or CHIP [Children's Health Insurance Program] programs had their personal information stolen off the server. This is because healthcare providers often submit personal information on patients to the state in order to check their status as possible Medicaid recipients." Although this was standard practice--oftentimes even for people with private insurance--it begs the question of why this information wasn't deleted after people's Medicaid status was relayed to insurers.

7) Breached Social Security numbers permanently insecure. The Utah Department of Health said it's sent letters to all residents whose Social Security numbers were breached, and is offering them one year of free credit monitoring services. But that's arguably a band-aid solution, because once Social Security numbers get stolen, and remain available for identity thieves to exploit, such numbers can't be recovered. Identity theft victims can get a new Social Security number, but doing so will reset their credit history, which could make life difficult in other ways.

8) Consider how much credit monitoring will be necessary. Security experts also have questioned the duration of the state's credit monitoring offer. "One year is not really much protection considering your Social Security number is with you for life, and most of us don't change addresses all that often," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Furthermore, he noted that the head of Utah's health department had suggested that the stolen information "goes stale" after a year. "It is this kind of attitude that might contribute to bureaucrats making half-baked attempts at protecting the data to begin with, not considering that these incidents may haunt victims their whole lives," he said.

9) Time for national ID cards? Given the difficulty of replacing Social Security numbers, is it time to revisit the notion of providing people with a national identity card? According to Warner at the University of Alabama at Birmingham, Spain's national identity card contains a digitized photo, signature, and fingerprints for the owner, and is used to secure Social Security numbers. "If you have my number, but not the chip in my card, it is worthless to you," he said. If businesses and government agencies are going to rely on Social Security numbers to identify people, maybe it's time for the United States to find a similar way to help keep the information secure.

At a time when cybercrime has never been more prolific and sophisticated, budgets are being cut. In response, IT is taking a hard look using third-party services--outsourcing--to meet security challenges. Our Making The Security Outsourcing Decision report outlines the various security outsourcing options available. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Moderator
5/25/2012 | 9:56:46 PM
re: 9 Lessons From Utah Data Breach
I like your analogy that cybersecurity is the modern battlefront, and unlike in physical war, citizens are the virtual soldiers under attack by identity thieves. ItGs time for the States to understand that firewalls donGt keep the attackers out, and once they are in, both structured and unstructured data in the clear is at risk. In fact, many breaches are conducted from the inside. The StatesG battle plans should include data encryption, access controls, and secure key management. ItGs imperative that their defenses match the enemyGs firepower. @Cryptodd
User Rank: Ninja
7/1/2012 | 3:19:18 AM
re: 9 Lessons From Utah Data Breach
This breach could have been addressed as well by implementing simple best practices. A lack of firewalls, strong passwords, etc all played a part in this breach by leaving data exposed. Failure to do the basics and enforce policy is a serious problem.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.