Space startup Basalt Technologies started in a shed behind a Los Angeles dentist’s office, but things have escalated quickly: soon it will try to hack a derelict satellite and install its space-specific OS. The startup’s cofounder, Alex Choi, found himself living in said shed after suddenly getting kicked out of his MIT dorm due to […]
© 2024 TechCrunch. All rights reserved. For personal use only.
UnitedHealth Group Chief Executive Officer Andrew Witty told senators on Wednesday that the company has now enabled multi-factor authentication on all the company’s systems exposed to the internet in response to the recent cyberattack against its subsidiary Change Healthcare.
The lack of multi-factor authentication was at the center of the ransomware attack that hit Change Healthcare earlier this year, which impacted pharmacies, hospitals and doctors’ offices across the United States. Multi-factor authentication, or MFA, is a basic cybersecurity mechanism that prevents hackers from breaking into accounts or systems with a stolen password by requiring a second code to log in.
In a written statement submitted on Tuesday ahead of two congressional hearings, Witty revealed that hackers used a set of stolen credentials to access a Change Healthcare server, which he said was not protected by multi-factor authentication. After breaking into that server, the hackers were then able to move into other company systems to exfiltrate data, and later encrypt it with ransomware, Witty said in the statement.
Today, during the first of those two hearings, Witty faced questions about the cyberattack from senators on the Finance Committee. In response to questions by Sen. Ron Wyden, Witty said that “as of today, across the whole of UHG, all of our external-facing systems have got multi-factor authentication enabled.”
“We have an enforced policy across the organization to have multi-factor authentication on all of our external systems, which is in place,” Witty said.
When asked to confirm Witty’s statement, UnitedHealth Group’s spokesperson Anthony Marusic told TechCrunch that Witty “was very clear with his statement.”
Witty blamed the fact that Change Healthcare’s systems had not yet been upgraded after UnitedHealth Group acquired the company in 2022.
“We were in the process of upgrading the technology that we had acquired. But within there, there was a server, which I’m incredibly frustrated to tell you, was not protected by MFA,” Witty said. “That was the server through which the cybercriminals were able to get into Change. And then they led off a ransomware attack, if you will, which encrypted and froze large parts of the system.”
Do you have more information about the Change Healthcare ransomware attack? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Witty also said that the company is still working on understanding exactly why that server did not have multi-factor authentication enabled.
Wyden criticized the company’s failure to upgrade the server. “We heard from your people that you had a policy, but you all weren’t carrying it out. And that’s why we have the problem,” Wyden said.
UnitedHealth has yet to notify people that were impacted by the cyberattack, Witty said during the hearing, arguing that the company still needs to determine the extent of the hack and the stolen information. As of now, the company has only said that hackers stole personal and health information data of “a substantial proportion of people in America.”
Last month, UnitedHealth said that it paid $22 million to the hackers who broke into the company’s systems. Witty confirmed that payment during the Senate hearing.
Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it’s still unclear how many Americans were impacted by the cyberattack.
Last month, Andrew Witty, the CEO of Change Healthcare’s parent company UnitedHealth Group, said that the stolen files include the personal health information of “a substantial proportion of people in America.”
On Wednesday, during a House hearing, when Witty was pushed to give a more definitive answer, testifying that the breach impacted “I think, maybe a third [of Americans] or somewhere of that level.”
Witty said he was reluctant to give a more precise answer because the company is still investigating the breach and trying to figure out exactly how many people were affected.
UnitedHealth’s spokesperson Anthony Marusic did not immediately respond to a request for comment on Witty’s estimate.
During a hearing in the Senate earlier on Wednesday, Witty said that it will likely take “several months,” before the company can begin notifying victims of the data breach.
In a written statement filed by Witty ahead of the two hearings, the CEO wrote that “so far, we have not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.”
According to Witty’s testimony, the hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal,” which was not protected by multi-factor authentication, a basic cybersecurity measure that adds an extra step to log into accounts and systems.
Had that portal had multi-factor authentication enabled, the breach may not have happened. Several Senators grilled Witty on that failure, asking him whether UnitedHealth and Change Healthcare systems are now protected with multi-factor authentication.
During the Senate hearing, Witty said: “We have an enforced policy across the organization to have multi factor authentication on all of our external systems, which is in place.”
The House hearing is underway as of this writing, and we will update this story as more information becomes available.
U.S. cybersecurity agency CISA is warning Sisense customers to reset their credentials and secrets after the data analytics company reported a security incident.
In a brief statement on Thursday, CISA said it was responding to a “recent compromise” at Sisense, which provides business intelligence and data analytics to companies around the world.
CISA urged Sisense customers to “reset credentials and secrets potentially exposed to, or used to access, Sisense services,” and report to the agency any suspicious activity involving the use of compromised credentials.
The exact nature of the cybersecurity incident is not clear yet.
Founded in 2004, Sisense develops business intelligence and data analytics software for big companies, including telcos, airlines and tech giants. Sisense’s technology allows organizations to collect, analyze and visualize large amounts of their corporate data by tapping directly into their existing technologies and cloud systems.
Companies like Sisense rely on using credentials, such as passwords and private keys, to access a customer’s various stores of data for analysis. With access to these credentials, an attacker could potentially also access a customer’s data.
CISA said it is “taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations.”
Sisense counts Air Canada, PagerDuty, Philips Healthcare, Skullcandy and Verizon as its customers, as well as thousands of other organizations globally.
News of the incident first emerged on Wednesday after cybersecurity journalist Brian Krebs published a note sent by Sisense Chief Information Security Officer Sangram Dash urging customers to “rotate any credentials that you use within your Sisense application.”
Neither Dash nor a spokesperson for Sisense responded to an email seeking comment.
Israeli media reported in January that Sisense had laid off about half of its employees since 2022. It is unclear if the layoffs impacted the company’s security posture. Sisense has taken in close to $300 million in funding from investors, which include Insight Partners, Bessemer Ventures Partners and Battery Ventures.
Do you know more about the Sisense breach? To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.
Founded in 2017, Atoms Lanka Solutions is a provider of IT consulting and software development services. Throughout the company’s history, we have worked with over 160 customers from 5+ countries..
