CBS Spotlights 'Multiple Security Issues' With ObamaCare Website
On Tuesday's CBS This Morning, Jan Crawford zeroed in on the "several flaws" with HealthCare.gov that "could expose your personal information" to hackers, contrary to the Obama administration's claims that "information is protected by stringent security standards," as White House Press Secretary Jay Carney put it at an October 31, 2013 briefing.
Crawford spotlighted a South Carolina resident whose personal information was jeopardized by a faulty software code, and pointed out how easily a consumer's password could be reset with authorization: [MP3 audio available here; video below]
JAN CRAWFORD: Software experts tell CBS News they have identified multiple security issues, including with user names and passwords. We gave one technology expert the real HealthCare.gov user name of a CBS employee. Within seconds, he identified the specific security question she selected to reset her password.
Anchor Charlie Rose recapped correspondent Sharyl Attkisson's scoop about the ObamaCare website from Monday's CBS Evening News – that "a CBS News analysis finds key tests to ensure the security and privacy of customer information fell behind schedule. A deadline for final security plans was delayed three times over the summer, and final top-to-bottom security tests never got done before the launch."
Crawford then led by noting that "technology experts are telling us that was just not enough testing on the security of the website before it went live, and they've shared with CBS News several flaws that could expose your personal information." She continued by playing the soundbite of Carney's claim, and countered with the eyebrow-raising experience of attorney Thomas Dougall: "Dougall and his wife signed up on the website in October – but...got a disturbing call – a man in North Carolina, who also registered – and was shocked to get the Dougalls' eligibility letters, including their names and home address."
Later in the segment, the CBS journalist underlined the password security risk by playing a clip from the former assistant director of the Cyber Division of the FBI, who warned that "if somebody's got the ability to look at the source code and be able to reverse engineer that and identify what somebody's personal questions are, that should be of concern".
Back on the October 18, 2013 edition of CBS This Morning, Crawford highlighted how "the problems [with HealthCare.gov] go beyond the enrollment process. Most troubling...insurance companies report receiving duplicate sign-up...and records of people enrolling, un-enrolling, and then, re-enrolling. Those forms contain highly personal information."
The full transcript of Jan Crawford's report from Tuesday's CBS This Morning:
CHARLIE ROSE: New fallout this morning over the troubled ObamaCare website – a CBS News analysis finds key tests to ensure the security and privacy of customer information fell behind schedule. A deadline for final security plans was delayed three times over the summer, and final top-to-bottom security tests never got done before the launch. All of that is adding to concerns about the safety of personal information on the site.
Jan Crawford is in Washington. Jan, good morning.
JAN CRAWFORD: Well, good morning Charlie; good morning, Margaret. Technology experts are telling us that was just not enough testing on the security of the website before it went live, and they've shared with CBS News several flaws that could expose your personal information. And now, we're starting to see real-life examples of what can go wrong.
[CBS News Graphic: "Security Slip-Ups: HealthCare.Gov Flaws Could Expose Personal Info"]
CRAWFORD (voice-over): With critics openly mocking the Obama administration about problems with HealthCare.gov, officials insist on one thing: at least the website is safe.
JAY CARNEY, WHITE HOUSE PRESS SECRETARY (from press briefing): Consumers can trust that their information is protected by stringent security standards.
CRAWFORD: But tell that to South Carolina attorney Thomas Dougall.
THOMAS DOUGALL, SC ATTORNEY: My information is out there, and I want it deleted from their website.
CRAWFORD: Dougall and his wife signed up on the website in October – but over the weekend, got a disturbing call – a man in North Carolina, who also registered – and was shocked to get the Dougalls' eligibility letters, including their names and home address.
DOUGALL: It's just a system that – you know, we've been continually told was secure. And now I find out it's not secured.
CRAWFORD: A spokeswoman for the Department of Health and Human Services confirmed, 'An incident involving the personal information of one consumer was reported, and we took immediate steps. We identified a piece of software code that needed to be fixed, and that fix is now in place.'
But other fixes are not. Software experts tell CBS News they have identified multiple security issues, including with user names and passwords. We gave one technology expert the real HealthCare.gov user name of a CBS employee. Within seconds, he identified the specific security question she selected to reset her password.
Shawn Henry is president of the cyber-security firm CrowdStrike Services, and the former assistant director of the FBI's Cyber Division.
SHAWN HENRY, CROWDSTRIKE SERVICES: If somebody's got the ability to look at the source code and be able to reverse engineer that and identify what somebody's personal questions are, that should be of concern.
CRAWFORD (on-camera): Now, House Intelligence Committee chairman Mike Rogers told me yesterday this is just one more reason the website should be taken down and tested for security vulnerabilities. We're starting to see Democrats make that point – concerns, of course, that will likely be raised when [HHS] Secretary [Kathleen] Sebelius testifies again before Congress on Wednesday. Charlie and Margaret?
MARGARET BRENNAN: Jan Crawford, thank you.
— Matthew Balan is a News Analyst at the Media Research Center. Follow Matthew Balan on Twitter.