According to David Kennedy, CEO of TrustedSec, the information was easily obtained without even resorting to hacking. Appearing on Fox News Sunday, Kennedy explained:
There’s a technique we call passive reconnaissance which allows us to query and look at how the website operates and performs.... These type of attacks that I’m mentioning here ... is very easy to do, it’s a rudimentary type attack that doesn’t actually attack the website itself — it extracts information from it without actually having to go into the system.... Think of it this way, think of something where you have a car and the car doors are open and the windows are open and you can see inside of it, that’s basically what they allow you to do and there’s no real sophistication level here — it’s just really wide open.... And 70,000 was just one of the numbers that I was able to go up to and I stopped after that.... You know, I’m sure it’s hundreds of thousands — if not more — and it was done within about a 4 minute timeframe.
Kennedy’s announcement provoked so many concerns that Kennedy had to update his blog post to emphasize that no data was actually dumped and no hacking took place. He reiterated that he simply used basic Google tools to search the Web, a fact that likely did not assuage concerns over the security of the website.
Simply stated, healthcare.gov “fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of protection for the website itself,” he said.
Kennedy has already testified before congressional committees twice on the lack of security in the healthcare website.
Click here to read the entire article.