A new report from Utah newspaper Deseret News says Utah government officials now estimate that some 280,000 people had their Social Security numbers stolen, and some 500,000 had less sensitive data compromised.
The victims are likely to be people who visited health care providers in the past four months. Many are children who are enrolled in Children's Health Insurance Program or Medicaid, although adults are also victims, officials said.
The reports do not say how the data was stolen, but officials say that the attack has been traced to hackers in eastern Europe. But officials are also investigating employees who were known to be present during the hours of the attack.
State officials offered some details on the nature of their security defenses. Mike Lloyd, CTO at RedSeal Networks, said that based on those reports, the Utah security architecture may be prone to human error.
"They called out five distinct types of protections," Lloyd notes. "This is typical; today’s IT infrastructure is highly complex, and the defenses built into the infrastructure are every bit as complex. Unfortunately, humans don’t handle complexity well -- it’s extremely difficult to consistently follow even basic, well-established guidelines in an infrastructure that’s large, complex, and rapidly moving."
Some security processes need to be automated, Lloyd suggests. "People cannot scale to the challenge of identifying all possible cross-combinations of factors that can permit a breach such as [Utah's]," he said. "We have to deploy computers to validate that we follow our own rules, consistently, throughout our own infrastructure. So long as we rely on human effort, breaches of this sort will continue."
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.