Share this article on:
Washington lawmakers are getting to the bottom of a data breach that saw tens of thousands of personal details leaked online — including their own.
Last month the US Congress sent a letter to the DC Health Benefit Exchange Authority, essentially asking the insurance provider how many of its own congresspeople were affected by a data breach in mid-March 2023.
Now this week, House oversight committee members were able to grill the executive director of the DC Health Benefit Exchange Authority, Mila Kofman, over the incident.
Kofman was forced to admit that the breach was due to user error. The compromised server had been installed in 2018 and had been set up with no authentication controls.
It appears the hardware was “misconfigured to allow access to the reports on the server without proper authentication”, Kofman said. “Based on our investigation to date, we believe the misconfiguration was not intentional but human mistake,” she said.
The committee members were not impressed with the revelation.
“We’re going to want to know how those responsible are going to be held accountable,” Representative Nancy Mace asked Kofman. “Do they even still have a job today?”
“It wasn’t caught in all of the steps that led to this event. Once we identify everyone who had any part of it, we’re going to have lots of information to act on and lessons to make sure it never, ever happens again,” Kofman replied.
The firing or not of whoever is responsible aside — and DC Health is unsure if it was a contractor or even a government employee — the committee was not impressed by the lack of information that DC Health has so far uncovered in its investigations.
“We still do not know who is behind the attack,” said Representative Barry Loudermilk. “We still do not know if the data is for sale on other areas of the dark web. We still do not know how much data the hacker accessed, and we still do not know exactly how this was able to occur.”
Loudermilk even called into question a seven-page report on the incident provided by security company Mandiant. The report “largely blames Amazon Web Services when, interestingly enough, Mandiant is a subsidiary of Google, one of AWS’ largest competitors”.
Congress first learned of the breach not from the DC Health Benefit Exchange but rather from the United States Capitol Police, which was able to purchase some of the data on the dark web in March.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.