TRICARE breach affects 4,700 households
Technorati Tag: Security Breach
Date Reported:
12/07/07
Organization:
TRICARE
Contractor/Consultant/Branch:
TRICARE Area Office Europe (TAO-Europe)
Department of Defense TRICARE Management Activity (TMA)
Electronic Data Systems (EDS)
Victims:
TRICARE beneficiaries located in Europe between the years 2004 and 2007
Number Affected:
4,700 households
Types of Data:
Full or partial Social Security Numbers, and for one or more members of the affected household, their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to TMA
Breach Description:
On November 7th, 2007 Electronic Data Systems (EDS) reported to TRICARE that they had discovered a potential compromise of sensitive personally identifiable information belonging to beneficiaries located in Europe. EDS is an IT contractor for TRICARE and "had not appropriately secured a part of the system" they support.
Reference URL:
TRICARE TMA Website Announcement
Air Force Times Story
Report Credit:
TRICARE
Response:
From the online sources cited above:
A potential compromise of personally identifiable information belonging to approximately 4,700 TRICARE beneficiaries located in Europe occurred recently due to a problem with a claims Web site managed by Electronic Data Systems (EDS).
The incident was reported to TRICARE on November 7, 2007. The information that was potentially compromised, however, existed between the years 2004 and 2007.
The compromised information may include your full or partial Social Security Number, and for one or more members of your household, their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to TRICARE Management Activity.
Although the assessment yields that external entities did in fact, access the system for purposes that do not appear malicious, at this time we have no indication that any of your personal information has been misused.
[Evan] This statement is a little confusing to me. Are the "external entities" authorized or not? If they were not authorized to use the system, and they had in fact accessed the system, then I would say that the access was probably malicious in nature.
It is possible that an unauthorized person could have accessed your personal information, but the Department of Defense is taking proactive steps to keep you informed.
[Evan] I don't like the word "proactive" when using it in reference to a reaction. The notification is a reaction to a lack of proactivity. You dig?
Those who may have been potentially affected by this compromise will receive a notification letter
The data was held on a Web application server that allowed external entities an unauthorized level of access without going through the required authentication process if the Web address was known.
That situation has since been remedied.
Practices such as Public Key Infrastructure (PKI) requirements and authentication verification cookies have fixed all known vulnerabilities associated with this incident. In addition, the CMS application has since been taken off-line. EDS has completed the forensics analysis of the server and is performing a by-line code review to ensure there are no further critical vulnerabilities present in the code.
[Evan] Should EDS be the ones conducting the vulnerability assessment and code review? If it were me, I would feel more comfortable with a third-party review.
EDS is offering beneficiaries put at risk a free, one-year subscription to a credit monitoring and protection service.
Additionally, those affected will receive up to $20,000 identity theft protection coverage with no deductible as it relates to this matter.
Affected beneficiaries with questions or concerns may contact the EDS Incident Response Center at 1-.
Those located outside the United States must dial the country’s AT&T USADirect access number first.
Commentary:
I am trying to determine with some certainty what led to this breach.
Was it poorly written code? (check out OWASP)
Was it a mis-configuration of the web server?
Was encryption not required, i.e. a user could use http or https to access the application?
Was it a combination of factors? I will assume it was a combination of factors.
On the one hand, I commend EDS for disclosing the breach to TRICARE, but on the other hand I am concerned about how long this problem may have gone un-noticed. Web applications acquiring, processing, accessing, storing or interacting with sensitive information in any manner require regular security reviews commensurate with the risk to the such information (unauthorized disclosure, alteration or destruction). This seems to be a case where you have an IT contractor in charge of design, implementation and maintenance of an application (typically with functionality as a driving factor) but also in charge of maintaining it's security. Information security really is a "stand-alone" function that should not be lumped into the same IT contract and warrants a "stand-alone" contract with a company that specializes in information security. My $.02.
Past Breaches:
Unknown
Date Reported:12/07/07
Organization:
TRICARE
Contractor/Consultant/Branch:
TRICARE Area Office Europe (TAO-Europe)
Department of Defense TRICARE Management Activity (TMA)
Electronic Data Systems (EDS)
Victims:
TRICARE beneficiaries located in Europe between the years 2004 and 2007
Number Affected:
4,700 households
Types of Data:
Full or partial Social Security Numbers, and for one or more members of the affected household, their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to TMA
Breach Description:
On November 7th, 2007 Electronic Data Systems (EDS) reported to TRICARE that they had discovered a potential compromise of sensitive personally identifiable information belonging to beneficiaries located in Europe. EDS is an IT contractor for TRICARE and "had not appropriately secured a part of the system" they support.
Reference URL:
TRICARE TMA Website Announcement
Air Force Times Story
Report Credit:
TRICARE
Response:
From the online sources cited above:
A potential compromise of personally identifiable information belonging to approximately 4,700 TRICARE beneficiaries located in Europe occurred recently due to a problem with a claims Web site managed by Electronic Data Systems (EDS).
The incident was reported to TRICARE on November 7, 2007. The information that was potentially compromised, however, existed between the years 2004 and 2007.
The compromised information may include your full or partial Social Security Number, and for one or more members of your household, their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to TRICARE Management Activity.
Although the assessment yields that external entities did in fact, access the system for purposes that do not appear malicious, at this time we have no indication that any of your personal information has been misused.
[Evan] This statement is a little confusing to me. Are the "external entities" authorized or not? If they were not authorized to use the system, and they had in fact accessed the system, then I would say that the access was probably malicious in nature.
It is possible that an unauthorized person could have accessed your personal information, but the Department of Defense is taking proactive steps to keep you informed.
[Evan] I don't like the word "proactive" when using it in reference to a reaction. The notification is a reaction to a lack of proactivity. You dig?
Those who may have been potentially affected by this compromise will receive a notification letter
The data was held on a Web application server that allowed external entities an unauthorized level of access without going through the required authentication process if the Web address was known.
That situation has since been remedied.
Practices such as Public Key Infrastructure (PKI) requirements and authentication verification cookies have fixed all known vulnerabilities associated with this incident. In addition, the CMS application has since been taken off-line. EDS has completed the forensics analysis of the server and is performing a by-line code review to ensure there are no further critical vulnerabilities present in the code.
[Evan] Should EDS be the ones conducting the vulnerability assessment and code review? If it were me, I would feel more comfortable with a third-party review.
EDS is offering beneficiaries put at risk a free, one-year subscription to a credit monitoring and protection service.
Additionally, those affected will receive up to $20,000 identity theft protection coverage with no deductible as it relates to this matter.
Affected beneficiaries with questions or concerns may contact the EDS Incident Response Center at 1-.
Those located outside the United States must dial the country’s AT&T USADirect access number first.
Commentary:
I am trying to determine with some certainty what led to this breach.
Was it poorly written code? (check out OWASP)
Was it a mis-configuration of the web server?
Was encryption not required, i.e. a user could use http or https to access the application?
Was it a combination of factors? I will assume it was a combination of factors.
On the one hand, I commend EDS for disclosing the breach to TRICARE, but on the other hand I am concerned about how long this problem may have gone un-noticed. Web applications acquiring, processing, accessing, storing or interacting with sensitive information in any manner require regular security reviews commensurate with the risk to the such information (unauthorized disclosure, alteration or destruction). This seems to be a case where you have an IT contractor in charge of design, implementation and maintenance of an application (typically with functionality as a driving factor) but also in charge of maintaining it's security. Information security really is a "stand-alone" function that should not be lumped into the same IT contract and warrants a "stand-alone" contract with a company that specializes in information security. My $.02.
Past Breaches:
Unknown
Posted by Evan Francen at 12/20/2007 10:29 AM 
Categories: Intrusion, Electronic Data Systems, TRICARE
Categories: Intrusion, Electronic Data Systems, TRICARE
Posts Atom 1.0
Comments