Once, he topped the world’s most wanted list as a ‘hacking cyber criminal’, now turned security expert, Kevin Mitnick submitted a scathing criticism to a House panel Thursday of ObamaCare’s healthcare.gov website calling the protections built into the site “shameful” and “minimal.”
Mitnick submitted a letter in testimony to the House Science, Space and Technology Committee which stated: “It’s shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise.” His letter, submitted to panel Chairman Lamar Smith, R-Tx, and ranking member Eddie Bernice Johnson, D-Tx, held comments from several leading security experts.
Mitnick concluded that, “After reading the documents provided by David Kennedy that detailed numerous security vulnerabilities associated with the Healthcare.gov Website, it’s clear that the management team did not consider security as a priority.” His comments were backed up by testimony by Kennedy, who is CEO and founder of TrustedSec LLC and a self-described “white hat hacker,” meaning someone who hacks in order to fix security flaws but does not commit cyber crime.
Kennedy previously testified before the same panel back in November concerning the sites security issues. In his testimony Thursday, Kennedy stated most of the flaws they identified at that time still exist on the site and said, “indeed, it’s getting worse,” telling the panel that he and other experts have seen little improvement in the past two months. “Nothing has really changed since our November 19 testimony,” Kennedy said. Only half of a vulnerability has been found and plugged since then, he told the committee. “They did a little bit of work on it and it’s still vulnerable today.”
Also speaking at the panel were Michael Gregg, chief executive officer of Superior Solutions, Waylon Krush, co-founder and CEO of Lunarline, and Dr. Lawrence Ponemon, chairman and founder of the Ponemon Institute.
There have been no confirmed security breaches or hacks of the site yet, despite the alarming current and past testimony from the panel, however, at the November panel, Kennedy said the website “may have already been hacked.” The flaws that have been found are mere speculation, pointed out Krush whose firm has done security work for the Department of Health and Human Services.
“Nobody here at this table can tell you there is a vulnerability,” he said during testimony. To actually test the flaws would require hacking the website itself, which would mean breaking the law, he noted.
During his testimony, Kennedy stated that the vulnerabilities could have long-term damaging results and the website is a literal “Gold Mine,” which could have far more serious consequences than the loss of credit card data such as the recent incidents involving several major retail chain stores where millions of customers data was compromised.