Navigation
Even a minor lapse in security protocol can lead to major costs Posted by: Karen Goulart
May 18, 2012

May 18 2012 12:17AM GMT

Even a minor lapse in security protocol can lead to major costs

Posted by: Karen Goulart

CIO, information security strategy, Data privacy, data leakage, data breach, Compliance, risk management

Very bad things happen when security protocols are neglected. Just ask Stephen Fletcher, the now-former CIO for the state of Utah. Fletcher was fired by Gov. Gary Herbert this week over the March data breach that compromised the personal and medical information of about 780,000 Utahns. Two of Fletcher’s former employees are under investigation in connection to mistakes that led to the breach.

Somebody fell asleep at the switch — or server, as it were — allowing hackers in Eastern Europe to slip right into the state’s Medicaid database. They slipped out with hundreds of thousands of birthdates, names, addresses and social security numbers, among other useful tidbits. It’s believed that, by exploiting an unchanged default password on the user-authentication layer of the system, they were able to bypass multiple layers of security controls. Yes, a default password cost at least one person his job, more than half a million people their privacy and millions in taxpayer dollars to clean up the mess.

Herbert said he sought the CIO’s resignation because Fletcher lacked “oversight and leadership.” Ouch. Maybe this wouldn’t sound so bad if, as several accounts suggest, Fletcher weren’t so good. Since he was named the state’s CIO in 2005, Utah has emerged as a leader in government tech and innovation, and Fletcher has been credited with leading the state to successful enterprise-wide IT consolidation and centralization. He’s a past president of the National Association of State Chief Information Officers and a past recipient of Government Technology’s “Top 25 Doers, Dreamers and Drivers” award. But now a default password overshadows all of that.

Fletcher told Government Technology that the incident was preventable and is an example of why more funding is needed to protect government IT systems. In just the past four months, he said, cyberattacks on the state’s technology system have spiked 600%. But Fletcher also bemoaned the fact that this would overshadow all of the good work done by his department — the cost savings, the consolidation, the presence of more than 1,000 online services for residents.

Whether Fletcher is personally at fault is still under investigation, but he certainly has taken the fall. One would hope security protocols at least existed — if not, the blame surely lies at his feet. If they were in place and employees simply didn’t follow them — well, the blame still falls on Fletcher. In the end, he is the leader in this scenario, and unless it can be proved his team members maliciously left the server vulnerable, it’s his job to make sure they do theirs.

Certainly, this is an extreme example of what can go wrong when security protocols are not adhered to (or are possibly nonexistent), but nonetheless one worthy of every CIO’s attention. Handling security and compliance is a balancing act and a team effort. Stories like this one are sobering reminders that, while it isn’t easy, steadfast attention to managing information risk has value beyond measure.

PREVIOUS POSTS
Apr 03.12 | Global Payments hopes to soon regain PCI compliance after breach

Global Payments hopes to soon regain PCI compliance after breach
read more

Oct 11.11 | Businesses failing to comply with PCI DSS security standards: Verizon and Banktech India News Network, 9/29/2011 10:55:29 AM

Too many businesses are struggling to comply with payment card security standards, putting consumers’ confidential information at risk, according to a report by IT services and solutions provider Verizon. Te report for a second year in a row found compliance lacking on the payment card security front. read more

May 03.11 | Sony data breach update reveals 'bad practices' By Emily Chung, CBC News

The data breach affecting Sony Online Entertainment's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users. Thomas Peter/Reuters read more

Mar 11.11 | Assume you’re always under attack’: experts By: Liam Lahey On: 11 Mar 2011 For: ComputerWorld Canada

Enterprises must make a conscious decision about what information we’re prepared to lose, said an exec with security vendor Symantec. Why companies are missing the mark with security risk management read more

Oct 26.10 | ‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter, wired.com

‘Spear-Phishing’ Attacks Keep on Giving

* By Kim Zetter read more

Sep 16.09 | Web server attacks, poor app patching make for nasty mix Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats By Gregg Keizer September 15, 2009 03:44 PM ET

Web server attacks, poor app patching make for nasty mix
Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats
By Gregg Keizer
September 15, 2009 03:44 PM ET read more

Jul 02.09 | Heartland breach cost $12.6 million, CEO says

By Robert Westervelt, News Editor 07 May 2009 | SearchFinancialSecurity.com

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. read more

Apr 20.09 | RBS, Heartland no longer PCI compliant

RBS, Heartland no longer PCI compliant

By Dan Goodin in San Francisco • Posted in Security, 13th March 2009 21:40 GMT

Visa on Friday alerted the world that RBS WorldPay and Heartland Payment Systems are not on its list of payment card processors who are in good standing with industry-mandated standards for data security.

The move follows announcements by both companies that they experienced data breaches that exposed details for a large number of credit cards to criminal hackers. RBS said the security lapse exposed 1.5 million cards. Heartland has yet to say how many cards were affected.
read more

Sep 30.08 | FAQ: Clickjacking -- should you be worried? Nearly all browsers are vulnerable to this new attack class, but details are scarce!

read more

ARCHIVE