A HealthCare.gov test server still had a default password when it was hacked in July, a Department of Homeland Security official told Congress Thursday.
The breach, which wasn’t reported until earlier this month, installed malware on a server used to test code for the Obamacare website.
“Basically they were trying to create a node in a botnet to use for denial-of-service attacks,” U.S. Computer Emergency Readiness Team Director Ann Barron-DiCamillo said of the intruders. “It was a test server that was deployed out of locked configuration, meaning that the default password hadn’t been updated.”
Barron-DiCamillo, who testified before the House Oversight and Government Reform Committee on the security of the site, said the breach was not targeting the HealthCare.gov server itself but attempted to use the computer’s resources to cause trouble for other websites. Such attacks are “very common,” Barron-DiCamillo said. “They happen every day across the globe.”
No data was stolen from the server and no personally identifying information was compromised “due to the segmentation of the network,” she said. “This was a test network separate from the production network. There was no lateral movement into the production network associated with this activity.”
However, weak passwords have been a vulnerability for HealthCare.gov since the site launched, according to a Government Accountability Report released this week. Greg Wilshusen, GAO's director of information security issues, declined to provide details of the current password situation because he said he didn’t want to put the systems at further risk.
CMS spokesman Aaron Albright told Nextgov passwords on the remaining servers have been checked. "We did an agencywide review of all Internet-connected machines, including all test servers, after the incident was contained," he said.
This story has been updated with CMS comment.