Earlier this year a massive data breach in the Utah state healthcare system compromised more than a quarter million Utah residents' personal information. Social Security numbers and other personal data about some 280,000 individuals were obtained by hackers believed to be operating from Eastern Europe. Less sensitive data about another half million individuals was also exposed.
In mid-May the breach claimed a ritual head. Utah's governor forced the resignation of Stephen Fletcher, executive director of the state's Department of Technology Services. Utah governor Gary Herbert reportedly asked for Fletcher's resignation on the grounds that he failed to exercize "oversight and leadership."
Utah state officials suffered further self-inflicted embarrassment by initially reporting that "only" 24,000 health records had been breached. They then had to admit that the breach was far more extensive than they had first stated.
Two other state IT officials remain under investigation in the breach. A state contractor was also sacked for providing software that lacked encryption protections.
This is what happens to IT executives after major data breaches happens on their watch.
More instructive, perhaps, is how the hackers were able to get into the state data. Reportedly the hackers got into a server holding Medicaid data at the Utah Department of Health. The attack, on March 30, employed a default password to breach the user authentication layer of the system.
Multiple security controls were bypassed, at perimeter, network, and application levels. But at the heart of the exploit was, apparently, a failure to maintain sound password policy. To security professionals this story is all too common. Most security breaches do not require brilliant hacking skills. They rely more on the failure of organizations to take basic steps to protect their networks.