Data Breach Dissection, Part 1: Are Admin Passwords Dead?


Last week my kids came of age. We received a letter in the mail from our medical benefits provider that one of their data service providers had been hacked—and that my children’s personal data was compromised.

It’s interesting to read the benefits company’s “feel-good” letter from a distance when my head is so in the weeds of identity verification. It was as if I were watching an accident happen in slow motion while at the same time performing forensic analysis on the pieces of that same wreck.

What happened? 

The breach occurred almost 8 months ago. It took a month for the provider’s investigation to confirm that company information on the platform had been accessed and acquired without authorization. Then another four months to specifically assess that my kids’ personal data was compromised. 

And then another two months for notices to go out to those concerned.

What information was involved? 

Everything on record. Name, date of birth, Social Security number. This all highlights just how much of our personal information is shared with service providers across a range of industries—data well beyond the required purpose for providing the service.

How did they remedy the breach? 

According to the notice, the provider stopped access to the compromised software, removed the malicious files, conducted a thorough analysis of the database, applied the recommended patches, and “reset administrative passwords to the system.” 

Let’s repeat this last part again to make sure I copied it correctly: Reset administrative passwords to the system

Failing to respond to an outsized risk

The Identity Theft Resource Center (ITRC) stated in its 2023 Business Impact Report that research had recorded the highest-ever level of businesses reporting attacks—an astounding 73%—over the prior three years. Among reporting companies, the vast majority had not utilized basic security tools, with a mere 27% requiring multi-factor authentication (MFA) for internal system access and only 34% requiring external account access. 

The challenge with this last statistic is that while many companies perceive greater risk, and therefore have a higher rate of adoption, for external accounts (even though 34% is an outright fail by my standards), that number drops off even further for internal system access. 

One conclusion we can draw is that intra-company security is extremely weak. Why does this matter? One compelling reason is administrative portals.

Several concerning cases last year

Below are just a few of the recent data breaches that illustrate the weakness of administrative passwords:

  • Shields Health Care Group, Inc. (April 2023): A single compromised administrator password exposed the personal data of 2.3 million patients, including medical records and Social Security numbers. 
  • City of Tulsa payroll system (May 2023): A phishing attack tricked an administrator into divulging their credentials, allowing hackers to access the city’s payroll system and compromised the personal information and bank account details of over 10,000 city employees. Perhap not as many victims as Shields Health or other headline attacks, but still a comprehensive data attack on a community.
  • LastPass Credential server breach (August 2023): While the exact cause remains under investigation, some reports suggest an administrator’s compromised credentials might have played a role in this major breach. Hackers gained access to a LastPass cloud storage server containing encrypted customer password vaults. While the passwords remained encrypted, the incident sparked concerns about potential vulnerabilities in cloud-based password management solutions and the crucial need for secure access controls even for trusted entities like administrators.

Breaches like these can cost organizations millions of dollars in fines, settlements, and lost revenue from reputational damage.

Lessons for all of us

I try to teach my kids that we can’t control the circumstances around us, but we can learn from what happens to us. So what are the lessons of our medical provider leak?

  1. The world can be an ugly place.
  2. The nose knows. If something does not smell good, it has passed its sell-by date. And the usefulness of passwords has long passed its expiry date

In part 2 of this series, we will explore the pros and cons of using various biometrics for identity verification purposes.

About the post:
Images are generative AI-created. Prompt: Bruce Lee kicking down gigantic steel vault door, leg in the air, leg fully extended making contact with the door, door breaking open, pieces of metal flying in the air, still frame from 1970s kung fu movie, full frame, vintage feel. Tool: Midjourney.

About the author:
Terry Brenner is the Head of Legal, Risk, and Compliance for IDVerse America. He oversees the company’s foray into this market, heeding to the sensitivities around data protection, inclusivity, biometrics, and privacy. With over two decades of legal experience, Brenner has served in a variety of roles across a diverse range of sectors.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security