TrustedSec CEO David Kennedy recounted to a Congressional panel last week how he was able to access 70,000 records from the HealthCare.gov website within four minutes, using a technique called passive reconnaissance.
Kennedy called the attack, which allowed him to query and look at how the website operated and performed, “rudimentary.” He was able to extract information from the site without actually going into the system. This wasn’t the first time he had testified about the security of HealthCare.gov, either. Last November he spoke about the same issues, and in a TrustedSec blog post
the same day as last week’s hearing, he said things had only gotten worse.
“Today, nothing has changed and it’s business as usual on the HealthCare.gov site,” he wrote. “Out of the issues identified last go-around, there has been a half of a vulnerability closed out of the 17 previously disclosed, and since my last appearance, other security researchers have also identified an additional 20+ exposures on the site.”
Kennedy wasn’t alone at the hearing last week, either. Other white hat hackers testified to the House Science and Technology Committee about the same thing. Then Kennedy joined them—Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White—in signing and releasing a joint statement
detailing their opinions and criticisms of HealthCare.gov security.
In short, they all echo the sentiment that the glaring vulnerabilities in HealthCare.gov security could result in mass identity theft, and that the lack of security best practices in devising the site have made a breach all but certain.