Poorly Set Server, Human Error Blamed for DC Health BreachLawmakers Call for Firing in the Wake of Data Breach That Affected Congress
House Oversight committee members called for the firing of whoever caused the DC Health Benefit Exchange breach and exposed the personal information of lawmakers to a dark web criminal forum. An exchange executive testified Thursday that the breach had been caused by "human error" and a server that was configured with no authentication controls.
The misconfigured server, which stored personal information including names, Social Security numbers, birthdates and emails addresses for 56,456 individuals, was at the center of questioning during a joint meeting of two House Administration subcommittees.
"We're going to want to know how those responsible are going to be held accountable," Rep. Nancy Mace, R-SC, asked Mila Kofman, executive director of the DC Health Benefit Exchange Authority. "Do they even still have a job today?"
Kofman testified that the server had been installed in mid-2018. Cybersecurity teams are still looking into who misconfigured the equipment - a government employee or a contractor. When pressed by Mace on whether anyone had been fired, Kofman responded, "It wasn't caught in all of the steps that led to this event. Once we identify everyone who had any part of it, we're going to have lots of information to act on and lessons to make sure it never, ever happens again."
"And hopefully that means they get fired," quipped Mace.
Prior to the hearing, the DC Health Benefit Exchange had provided committee members with a seven-page report by Mandiant, which was hired within days of the incident to investigate the breach. The report was described as "wildly underwhelming" by Rep. Bryan Steil, R-Wisc.
Rep. Barry Loudermilk, R-Ga., said lawmakers still don't know key information. "We still do not know who is behind the attack. We still do not know if the data is for sale on other areas of the dark web. We still do not know how much data the hacker accessed, and we still do not know exactly how this was able to occur." He added that the Mandiant report "largely blames Amazon Web services when, interestingly enough, Mandiant is a subsidiary of Google, one of AWS's largest competitors."
Mandiant declined to testify at the hearing, but a Mandiant spokesperson said the company was unable to meet with the committee because of "unavoidable scheduling conflicts and has offered to meet with the committee at another time."
Kofman apologized to the committee for the breach and said the organization has hired other "outside cybersecurity experts" to further investigate the matter. She said the FBI Cyber Security Task Force was immediately notified and the origin of the misconfigured server was identified and fixed within two days of discovery.
The server was "misconfigured to allow access to the reports on the server without proper authentication," she said. "Based on our investigation to date, we believe the misconfiguration was not intentional but human mistake."
The breach first came to light on March 6 when the DC Health Exchange discovered the personal data of congressional members posted on a dark web forum for sale. Kofman said the organization notified all affected lawmakers and offered three years of identity theft protection. So far, 19% of the victims have opted to accept the services.
The breach affected "17 Members of the House and 43 of their dependents, and 585 House staff members and of their 231 dependents," plus other individuals and families in the Washington area. Kofman said she could not provide an exact number of how many people might be affected, but there was no evidence that other files on the server had been accessed by cybercriminals.
One lawsuit, filed last month by a victim of the breach, alleges that up to 506,000 individuals may have been affected by the incident.