Seven years after a 2012 data breach that exposed the personal information of nearly 800,000 people, Utah’s top technology officials said they have avoided repeat situations by building much more thorough inventories of the devices and software that access the state’s network, and by cracking down on how easily users can connect.
Mike Hussey, the state’s chief information officer, and Phil Bates, Utah’s chief information security officer, said the breach — which occurred when hackers broke into a server used by the state’s Medicaid agency — eventually cost Utah nearly $10 million on audits, security upgrades and credit-monitoring services for the victims. But the response also led the state to purchase a network-monitoring platform from Forescout, which allows IT officials to see the machines using the state computer network, and determine whether they should be allowed to stay connected or get booted off.
The Forescout platform has allowed the Utah Department of Technology Services to exert a greater level of control over the networks it operates, Hussey and Bates said Monday at a National Association of State Chief Information Officers conference in National Harbor, Maryland.
The process for approving new IT equipment has also become more rigorous. Under the controls implemented after the breach, devices connecting to state systems must first be approved by the agency using them, and must then pass muster with DTS, Bates said. If a device is found to be missing critical security patches or antivirus updates, the Forescout application can generate a service ticket to remedy that issue, he said.
“Only then can it be allowed to talk to our network,” Bates said.
Introducing round-the-clock monitoring of the state network also revealed the full extent of the machines Utah state workers are using.
“We started to discover there’s a lot more on our network than we thought,” said Hussey, including, he added, several Microsoft Xbox consoles.
Along with giving DTS a clearer picture of the state government’s IT inventory, network monitoring has also allowed the agency to revise the cost-recovery rates it charges other agencies for network use. (Though Hussey later told StateScoop he has not set a specific rate for Xboxes.)
But Hussey, who was a state IT manager when the breach occurred, said he wishes Utah had handled the incident differently. Among the missteps the state made was being imprecise with what it told media about the breach.
“We probably went to the press a little early,” Hussey said. “I don’t think we had all the information. We saw data going to Romania and feared the worst. In fact, the hackers didn’t know which box they compromised.”
Though the breach encompassed the Social Security numbers of about 280,000 Utahns, plus other forms of information pertaining to another half-million individuals, there is no evidence any of it was used maliciously. While Hussey said the state had an obvious need to share news of the breach with the public, officials at the time might have overstated the severity of the incident.