back to article UnitedHealth CEO: 'Decision to pay ransom was mine'

UnitedHealth CEO Andrew Witty will tell US lawmakers Wednesday the cybercriminals who hit Change Healthcare with ransomware used stolen credentials to remotely access a Citrix portal that didn't have multi-factor authentication enabled. Once they were into that management system, the miscreants were able to move through the …

  1. ecofeco Silver badge
    Facepalm

    The stupid

    It literally burns.

    1. cyberdemon Silver badge

      And off to jail you go

      Willfully paying organised criminals? Isn't that already an offence?

      If it can be argued that the ransomware crooks are Terrorists, then paying them is already an offence, even in the US.

      Attacking critical health infrastructure certainly sounds like it could fit the definition of terrorism ...

      1. Sok Puppette

        Re: And off to jail you go

        You can argue it all you want, but it still won't be true. It's perfectly legal to pay them unless the particular group you're paying happens to be on a sanctions list.

        It *should* be a criminal offense. Not because guys like that should go to jail, but because they shouldn't have to make the decision... and the decision not to pay only really works if there's nearly universal solidarity behind it anyway. By outlawing paying, you can really affect the attacker's calculations ahead of time.

        1. Frank Bitterlich

          Re: And off to jail you go

          It might not be illegal in a criminal sense, but I hope that from now on every victim of that ransomware group will sue Witty (personally) for damages, for being an accessory to ALPHV in their "business". He certainly contributed to their finances quite a bit.

      2. Anonymous Coward
        Anonymous Coward

        Re: And off to jail you go

        Sounds like some jail time needed, and no plea bargain bullshit.

        Assuming the buck stops here and he is not inflicted with Murdochitis - ‘didn’t see anything, didn’t hear anything, don’t know anything. I’m just the lowly CEO/Chairman’

        * see UK Leveson Inquiry, or more recently the Post Office Fujitsu/Horizon scandal.

  2. chuckufarley Silver badge

    Too pissed to read much...

    ...but:

    UnitedHealth CEO: 'Decision to pay ransom was mine'

    Fuck you too, Charlie! I hope you wind up living in a card board box giving blow jobs for hot dog money!

    1. sanmigueelbeer
      Facepalm

      Re: Too pissed to read much...

      Read between the lines: It was (probably) still cheaper to pay off the hackers than to stand up a competent IT team.

      What was that saying again? Money talks & BS walks.

  3. Youngone

    Odd

    It's a weird Americanism that CEO's of corporations get called up to explain themselves in front of Senate committees like they're naughty schoolboys and nobody else seems to think it's odd.

    I wonder what would happen if this CEO tells the Headmaster that how he runs the business is none of theirs?

    1. Sok Puppette

      Re: Odd

      Contempt of Congress can be punished with imprisonment. They have the power to summon *anyone* and force them to answer *any* question, under oath. In public, if they want to. It's a constitutional power, too, not something that an easily be changed.

      I suspect it's not a uniquely American thing, either. I think the *UK's* particular style would be more to make you explain yourself to the Minister of This or That in private, but even there I suspect that refusing to talk to the Minister would be a bad move. Other countries do various other things.

      Oh, and on edit: In this particular case, I doubt he was very reluctant to begin with. Lets him get his story out there.

      1. Doctor Syntax Silver badge

        Re: Odd

        In the UK that would be a Select Committee of the House of Commons. Very likely that's where Congress got the idea.

        Only if the company was owned by HMG, an arrangement where government really didn't want to take any blame for what it did, say the Post Office, would a Minister be involved and even then as remotely as possible. That doesn't preclude having to spend 3 days answering questions in a public enquiry with live reporting and coverage on the Beeb's web site.

        1. Sok Puppette

          Re: Odd

          I stand corrected and thank you. :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: Odd

      It’s the same at a UK Statutory Public Inquiry

      But that didn’t stop The Murdochs at Leveson or all the scum from Post Office/Fujitsu having mass amnesia, blindness and deafness at the Horizon one currently playing out, or the same at the UK Government Covid Inquiry plus added mass WhatsApp message deletion/phone wiping outbreak.

    3. NLCSGRV

      Re: Odd

      But it is not "none of their business". If the company is subject to federal regulations, which they most certainly are, then it is very much their concern.

  4. Anonymous Coward
    Big Brother

    Citrix multifactor authentication already hacked

    “A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.”

    Appariently Citrix multifactor authentication runs on an APP on your phone or a SMS msg. As such it's as vulnerable to bugs as any other software. A better solution would be a hardware dongle that issues a challenge-response request on login.

    1. Anonymous Coward
      Anonymous Coward

      Re: Citrix multifactor authentication already hacked

      We had RSA hardware dongles. But OKTA was better… or is that just cheaper?

    2. Anonymous Coward
      Anonymous Coward

      Re: Citrix multifactor authentication already hacked

      It’s easy to bypass the Citrix MFA if it’s ‘not enabled’ …. which is what’s reported here.

      Incompetence/dereliction of duty under HIPPA Regulations.

      Jail-time.

      1. Snake Silver badge
        Unhappy

        Re: jail time

        Good luck with that :( I am in the search for legal representation right now and all I'm getting is refusals...but none of them, not a one, has seen a single record or document. They simply refuse the case based upon...what, I can't say. They won't even tell me why. Even though I have an expert report analysis stating that I have a case, all I've been getting is a "No, thank you".

        So getting responsibility when no one want to admit to responsibility? Again, good luck with that.

    3. Snake Silver badge

      Re: Citrix multifactor authentication already hacked

      Or, how about a more 'base' solution?

      The UnitedHealth Citrix data doesn't say, but in the story it states that Northeast Ohio Neighborhood Health had *51GB* of data stolen.

      51GB. Why is 51GB of data download even allowed without question, from a supposedly "secure" site? Have they never heard of 'access allowed only as necessary'? What about 'data throttling and limiting for broad-search general access'?? No hospital or provider is going to request 51GB of data at a time, especially via a data dump; they access per-patient or possibly 'per report' as in "We need our quarterly performance data".

      51GB of general data download. Are you really that gullible to allow that in your systems without a single question, not raising a single early alarm??!

      I guess the answer is, "Yes". By the gods these people are stupid.

      1. Mahhn

        Re: Citrix multifactor authentication already hacked

        Most likely (most often) data is exfiltrated over days, during regular and peak web use (a company of thousands of systems bandwidth, 51GB is a drop in the bucket) so yes the data could get out un-noticed.

  5. HereIAmJH Silver badge

    How about jailtime for crappy CEOs?

    Witty says he supports policy changes to mandate better cybersecurity practices among healthcare organizations.

    Would it be too much for him to take the responsibility for securing his organization's assets? Do we legislate that they have to have locks on the doors of their buildings?

    1. Anonymous Coward
      Facepalm

      Re: How about jailtime for crappy CEOs?

      I wonder how many of these security companies are eating their own dogfood?

  6. Daedalus

    The cheaper option

    After all, hiring competent cyber security people is expensive. As certain online tales demonstrate, the problem of security is really one of ego, incompetence and bureaucracy.

    1. Anonymous Coward
      Anonymous Coward

      Re: The cheaper option

      And since these costs will be passed on to customers, it's no big deal for UHC. Since most health insurance firms in the US enjoy regional near monopoly status, they figure the customers won't go elsewhere.

  7. Zibob Silver badge

    Really? Interesting.

    "The team replaced thousands of laptops, rotated credentials, rebuilt Change Healthcare's data center network and core services, and added new server capacity," Witty's testimony reads. "The team delivered a new technology environment in just weeks — an undertaking that would have taken many months under normal circumstances."

    So they get to save money not employing proper security and practices.

    Pay off the attackers

    Keeps the job and gets to glad hand it with Congress.

    And then gets a brand new DC in weeks, in this climate of years lead times in some cases for the same, professionally set up and with new security.

    So they did nothing, got attacked for it, get rewarded for it and then get a professional data centre makeover too.

    This job sounds easy.

    1. J. Cook Silver badge
      Facepalm

      Re: Really? Interesting.

      Oh, and the company also writes off the cost of it on their taxes, too.

  8. An_Old_Dog Silver badge

    Doing MFA

    1. I like the idea of those little crypto-number response boxes, far better than and I hate any security scheme based on smartphone-related functionality, as smartphones are pre-compromised, ineffectively-remediable devices.

    2. Weren't a metric crap-ton of such boxes discovered to be vulnerable to an attacker, due to an error in the software which the hardware correctly implemented, or due to an error in the hardware implementation of the (correct) software? Were those compromised devices ever replaced?

  9. RJW

    Constant War

    Having a company with x number of employees is like trying to protect a castle with x number of doors. You only have to leave 1 door open, and your castle is breached. With an attack occurring every 70 seconds, surely, it's inevitable that every company will eventually succumb to a cyber security breach. It’s like a constant war of attrition.

    1. Cris E

      Re: Constant War

      And if that company only has a small IT component it's even more likely to occur due to low quality security design and inadequate staffing.

      I know a guy who was president of a network of small old folks homes. They live inches from solvency, are mostly concerned with trying to keep enough staff to stay in business, and yet are tasked with holding a ton of resident and employee data, both personal and medical. They got breached and just went ahead and paid to get their data back because there was exactly zero chance they could rebuild their systems without it. Unprofessional IT shop? Absolutely. But his choice was to write one check (and then hire someone to rebuild IT from there) or literally close the doors and send these people out in the street. Not a hard choice for him.

      If you don't like the drama of old people then think of poorly defended dentist offices, or law offices, or any small business that doesn't have the knowledge that moving to a SaaS would be easier, safer and cheaper than keeping whatever old system is running under Sheryl's desk alive. They don't even know they are in trouble but employee and customer and payment data is laying all over the place. telling many of these places they can't write the check just means they go out of business. The reason most haven't been hit yet is because they aren't wealthy enough for criminals to spend the time on, but as the script kiddie tools get better they will be worth that tiny effort.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like