Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen 181
An anonymous reader writes "The Utah Department of Health has been hacked. 181,604 Medicaid and CHIP recipients have had their personal information stolen. 25,096 had their Social Security numbers (SSNs) compromised. The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012."
And who will be held responsible? (Score:5, Insightful)
No one!
Re:And who will be held responsible? (Score:5, Insightful)
We must stop pretending SSNs are secret! (Score:5, Insightful)
We have to stop pretending that the SSN is something only the owner knows. It cannot be an identifier and a password at the same time. It's because of our retarded system that SSNs are such a juicy theft target. Other countries have similar personal identification numbers and no rampant "identity theft" problems like we have here in the US.
Simply put, someone should not be able to pretend they are you just by knowing your SSN and name and date of birth. All should be public info and not security questions. Someone can't go in and get a loan just because they found my name in the phone book, it should be the same with the SSN. Leave it be an identifier and only an identifier. The cat's out of the bag with the secret part.
Re:Too bad for the crooks that the people are poor (Score:3, Insightful)
Medicaid is for poor people.
TFA quotes:
25,096 appear had their Social Security numbers (SSNs) compromised
... many of them feel violated
“But we also hope they understand we are doing everything we can to protect them from further harm.”
Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future.
However... are the East European hackers the primary cause of their situation?
Headlines? (Score:5, Insightful)
Okay, Slashdot seems to be getting worse and worse about distorting things in the titles of the topics. "Medicaid Hacked" is NOT what happened here. Not even close. And when the first line of the topic's body is "The Utah Department of Health has been hacked," then you can't even excuse the poster as having been a little confused; it's flagrant tabloid-like sensationalism. Cut it out, already.
Re:We must stop pretending SSNs are secret! (Score:5, Insightful)
I have no idea what you mean by "owner".
The government assigns them. Each number is supposed to uniquely identify a citizen and is used mostly for SS (and a few other governmental uses). So far so good; the government assigns them and (apparently) uses them appropriately as a unique ID number.
Now we have dozens of private businesses using them as a password. Fine, I guess it's a free country. But somehow, if someone finds out my number and uses it to open a loan in my name, *I'm* liable for the loan. It's my phone that rings with creditors and my credit score which is damaged. It seems to me that the problem is these corporations which use these numbers as passwords but disclaim liability for fraud. Make it clear that financial institutions have the liability for bad loans they originate, that bad credit reports MUST be cleared unless the financial institution can prove they are true, and that there are very strict penalties for companies which abuse these rules, and the "identity theft" problem will vanish very quickly.
Online records "hindenburg moment?" (Score:5, Insightful)
I wonder if at some point there will be a breach so bad that certain critical records will be moved to airgapped systems and never go back, just because of the horrible memory of that disaster.
Re:As they should be (Score:5, Insightful)
"Your physical security is shit, as is everyone's. "
No one is arguing that hackers who hack into a system and subsequently either damage the system or leak confidential information from the system out onto the rest of the Internet (or communicate that information to people other than employees of the company to report it to them to fix it) shouldn't be held accountable. They absolutely should.
But there is a huge difference between a residential house (my computer with my info on it) and a bank (a service provider). When I go to a bank, I don't see them leaving unguarded money out in the open for anyone to easily grab. No, they have safes, they have bullet proof glass, they have cameras, they have security guards, they have security switches to alert cops of a robber, they have all sorts of security. Even liquor stores are careful with money, having those huge armored vehicles transporting money from place to place. We expect and require them to take measures to ensure your money is safe.
A service provider is like a bank of information, they should also hold some responsibility and accountability if they store your personal information in such a way that it can easily get hacked into.
and corporations are part of the problem as well. Historically, white hat hackers used to report security vulnerabilities to corporations long before leaking them on the Internet. A while back I remember someone reported a 2wire vulnerability to 2Wire and they did absolutely nothing about it for six whole months before the person who discovered the vulnerability communicated it over the Internet and 2wire finally fixed it with a firmware upgrade (due to public pressure). Many times when people communicate vulnerabilities to corporations privately they simply ignore them. Or they sue. So now people no longer put up with that and they simply leak the information onto the Internet. Which, in some ways, is even better than allowing this information to be kept secret and discovered by black hat hackers who will buy and sell it in the black market and use it nefariously against unsuspecting victims. because by the time a white hat hacker who doesn't profit as much from discovering the vulnerabilities discovers them, chances are black hat hackers who stand to profit (and are hence far more determined to discover these vulnerabilities) already have. Black hat hackers who know very well how to get away with what they do. So in some ways it's better that the vulnerabilities and potential victims be made aware of the vulnerabilities early so they can respond before something happens.
IIRC, Google will even pay a white hat hacker to privately report a vulnerability in its system so they can fix it. That's how security should work. We're not just criticizing that these corporations make mistakes and allow vulnerabilities to exist in their systems. We're also criticizing their response when a vulnerability is privately reported. That needs to change.
Re:One more reason against Obama-care (Score:4, Insightful)
What's the "Most religious state?" [thenewamerican.com] What's the most Republican state? [gallup.com] What state can't host the Olympics [wikipedia.org] without embarrassing the USA with their corruption? What state lost $2.5M [sltrib.com] to stupid Nigerian "You have been selected to win $100M dollars!" scams? What state bans effective sex-ed? [rawstory.com] Banning D&D in public schools... polygamy... and these people are too innocent to know that the religious right GOP crowd they want to join knows for sure that every Mormon will burn in Hell.
And after yet another epic f--kup, I have to listen to posts like this... on an article about how Utah can't keep track of their Medicare records, and this somehow is an opportunity to blame Obamacare? Give me a break.
Re:Too bad for the crooks that the people are poor (Score:0, Insightful)
... many of them feel violated
Welcome to the TSA plus Obamacare? Bringing the air traffic experience to medicine.