Checklist Checklist 374: 2FA Minus One

Ransomware Attack on Change Healthcare Exposes Millions of Americans’ Data

In a recent podcast discussion, alarming details emerged regarding the massive data breach at Change Healthcare, a health tech subsidiary of UnitedHealth Group. The breach, which occurred earlier this year, was confirmed to have resulted in the theft of a substantial amount of Americans’ private healthcare data.

The podcast discussion highlighted several critical aspects of the breach, including:

Lack of 2FA

The server accessed by hackers did not have two-factor authentication (2FA) enabled, making it vulnerable to unauthorized access.

Compromised Credentials

Hackers used compromised credentials to gain remote access to a Change Healthcare Citrix portal, which lacked multi-factor authentication. This allowed them to move laterally within the system and exfiltrate data.

Extent of Breach

Estimates suggest that up to a third of Americans, or possibly more, may have been affected by the breach, given the vast amount of health information processed by Change Healthcare.

Preventable Disaster

The breach was described as preventable, with criticism directed at the lack of security measures such as 2FA.

Failure of Security Measures

Change Healthcare’s systems were not upgraded to include 2FA after UnitedHealth Group’s acquisition of the company in 2022, leading to vulnerabilities exploited by hackers.

Response from UnitedHealth CEO

UnitedHealth CEO Andrew Witty acknowledged the security failure and stated that systems are now protected with multi-factor authentication.

The discussion emphasized the significance of implementing robust security measures like 2FA to prevent similar breaches in the future. It also raised concerns about the adequacy of responses to such breaches and the protection of sensitive data.

In a recent podcast, the term “weaponized incompetence” was used to describe the security lapse in the Change Healthcare data breach, highlighting the frustration over the mishandling of sensitive information. However, amidst concerns about data security, Tinder has introduced a new feature aimed at making dating safer.

Tinder’s “Share My Date” feature, as reported by ZDNet, allows users to share specifics about their date plans with friends and family. This feature includes sharing the location, date, time of the date, and even a photo of the person the user is meeting. Users can choose who they share this information with, set up sharing for multiple dates in advance, and edit details if plans change.

While the feature aims to enhance safety, questions remain about the privacy and security of the shared information. Tinder’s access to this data raises concerns, although it’s noted that dating apps often possess extensive user data.

According to Tinder’s Chief Marketing Officer Melissa Hobley, the feature aligns with Tinder’s commitment to creating a safe and respectful environment for users. She highlighted that many singles already share date details with friends or family.

The report mentions Tinder’s delay in introducing such a feature, especially given that Match.com, owned by Match Group (which also owns Tinder), introduced a similar “Date Check-In” option in 2020. Despite this delay, the introduction of “Share My Date” is seen as a positive step towards safer dating.

Tinder plans to roll out the feature in the coming months, aiming to streamline the process of sharing basic date information, providing users with a tool to enhance their safety.

Source: ZDNet

Filed under Security News, The Checklist Podcast by SecureMac