Common (non)Sense - Ticketmaster & Change Healthcare

Another day, another Notice of Data Breach. Though these notices are arriving with increasing frequency, today was a surprise. The US Postal Service delivered two incident notices: one from Ticketmaster and the other from Change Healthcare. Both provide the usual very cursory overview of the breaches. Fortunately, news and regulatory reporting provide insight into the impacts and underlying cause.

Ticketmaster explains in their help center that the data breach originated from an “isolated cloud database hosted by a third-party data services provider.” This suggests limited impact since only one database was breached. However, the lawsuit filed in California claims that the database was exceptionally large with data of 560 million customers.

Ticketmaster’s wording also implies a third-party is responsible for the breach. It has been widely reported that Ticketmaster is one of several firms whose Snowflake databases were compromised. Wired reports that account credentials were harvested from yet another third-party who stored the usernames and passwords insecurely. Snowflake denies their culpability and blames the lack of multi-factor authentication on production databases for these customer data breaches.

While leaking 560 million customer records is gigantic, the Change Healthcare data breach manifested in an even more dramatic fashion. As reported by Fierce Healthcare, 94% of hospitals suffered financially. The extended downtime of Change Healthcare’s payment systems pressured parent company United Health Group to advance over $6.5 billion in payments and no-interest loans to providers and forced UHG CEO, Andrew Witty, to testify before Congress. In his written and spoken testimony, Witty confessed that a “Change Healthcare Citrix portal … did not have multi-factor authentication.”

Having been a vendor to UHG, I have been on the receiving end of their security requirements which include multi-factor authentication for critical systems. These breaches can be prevented by using multi-factor authentication. Good security practices dictate the use of multi-factor authentication. Yet organizations continue to subject us to this all too common nonsense.