Security Breach: Lawmakers Say 'I Told You So'

A test server was compromised but no user data lost, government officials say. And security experts wonder why a default password was used at security breach

The Website was breached in an attack, but government officials claim no personal information was stolen. The attack, disclosed in The Wall Street Journal Sept. 4, reportedly occurred in July but it wasn't noticed by government officials until Aug. 25.

The attack was targeted at a test server, where development code is first loaded for According to the government, there is no indication at this point that any user information was stolen, but the attacker was able to load malware onto the site.

The malware in question was apparently a form of denial-of-service software, according to a statement the Department of Homeland Security sent to The Washington Post.

"The National Cybersecurity & Communications Integration Center's (NCCIC), US-CERT worked with HHS to analyze and mitigate the effects of a Distributed Denial of Service malware package and there is no indication that any data was compromised at this time," DHS spokesman S.Y. Lee said in the statement.

The evidence points to the test server in question as using a default username and password combination, which enabled the attacker to gain access.

"While it's great to hear that this impacted server doesn't seem to have directly impacted users' personal data, it is concerning that such a related server could have been using a default password, as is being reported at this time," Mark Stanislav, security evangelist at Duo Security, wrote in an email to eWEEK. "Any system related to should be treated with great focus on security, including two-factor authentication and other proper security controls."

Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, also questioned why a default password was being used at

Cowperthwaite is no stranger to the world of health care IT security. Prior to joining Core Security in September 2013, he was chief information security officer of Providence Health and Services.

"A basic security flaw went overlooked, and it was assumed that because the system in question wasn't supposed to be connected to the Internet, it wasn't high priority and didn't warrant continuous monitoring," Cowperthwaite said in an email to eWEEK. "But accidentally connecting a system like this to the Internet happens all the time."

The security posture of has been an ongoing concern since the site launched in October 2013. Initially, the site was plagued by accessibility delays that prevented Americans from signing up. At the time of the initial launch, multiple security experts contacted by eWEEK raised concerns about the platform's security.

According to a report in The New York Times, U.S. lawmakers are also saying, "I told you so" about the breach.

"Despite numerous warnings from myself and other lawmakers that security breaches were possible, underwent virtually no independent security testing before it went live," Senator Orrin G. Hatch (R-Utah) said in The Times report.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.