When I saw the headline, “Class action lawsuit seeks to send message about the importance of safeguarding data,” I thought, “Oh, puhleese, how many times are we going to claim we’re just trying to send a message? Why haven’t they gotten it already?”
But then I kept reading a news story by Joel Griffin, and came across this interesting allegation in the Community Health Systems breach litigation:
Although she couldn’t speak to the mechanics of how some of the other large data breaches that have come to light recently were carried out, Knippa said that in the case of CHS, they used a test server loaded with password information that would allow that test server to access the company’s entire database.
“They didn’t put in or install security features that would protect the test server from hackers and the reason that they didn’t do that is they thought: ‘This will never be connected to the Internet, it’s only a test server,’” explained Knippa. “What happened was it did get connected to Internet. Somebody at the front-end didn’t tell somebody at the back-end: ‘Hey, don’t use this server again or connect it to the larger system because it hasn’t been security-proofed.’ It allowed a bug that could have easily been defended against, the Heartbleed bug, to access the test server and expose 4.5 million peoples’ information to identify thieves.”
Read more on SecurityInfoWatch, who were unable to get a response from CHS to the plaintiff’s attorney’s statements.