Many reported a claim, by security researcher David Kennedy, that he hacked 70,000 records from Healthcare.gov in four minutes. He did claim that, right, everyone?
Reuters' David Morgan, with Jim Finkle: "He said he wrote a short computer program in five minutes that automatically collects that data, which was able to import some 70,000 records in about four minutes. He said the information was accessible via the Internet and he did not have to hack the site to get it. He declined to elaborate."
SlashGear's Brittany Hillen, with the headline Hacker accesses 70,000 Healthcare.gov records: "David Kennedy has been vocal about these issues, though little has been done to address them. Perhaps to make a bigger point, he took advantage of the vulnerability in recent times and managed to access 70,000 records over the course of four minutes, saying, 'Seventy-thousand was just one of the numbers that I was able to go up to, and I stopped after that.'"
Tim Sampson at Salon: "A short computer program Kennedy claims to have written in five minutes was able to automatically collect some 70,000 records in roughly four minutes."
SD Times: "David Kennedy recounted to a Congressional panel last week how he was able to access 70,000 records from the HealthCare.gov website within four minutes, using a technique called passive reconnaissance."
Ashley Feinberg at Gizmodo reports "a gaping vulnerability—and one that can grant hackers access to over 70,0000 private records in just four minutes, at that."
And here's Computerworld's Darlene Storm: "because other government sites like DHS and IRS are integrated into healthcare.gov, for verification purposes, hackers could also access those other government sites and create an online profile for practically anyone in the system."
Sounds nasty! But it turns out the security researcher Googled something and got 70,000 results.
There’s been a few stories running around in the media around accessing 70,000 records on the healthcare.gov website. Just to note on this, we never accessed 70,000 records nor is it directly on the healthcare.gov website (a sub-site for the infrastructure). The number 70,000 was a number that was tested for as an example through utilizing Google’s advanced search functionality as well as normally browsing the website. No dumping of data, malicious intent, hacking, or even viewing of the information was done. We do not support the statements from the news organizations. From a previous blog post, the information shown in the python script was sanitized and not used through Google scraping (urllib2 python module). We’ve reached out to the news agencies to clarify as these were not our words.
On Twitter, Gabe Rivera wonders "Has anyone reported this accurately yet?"