Administration officials knew that the Obamacare Web site posed a danger to online security days before it actually went live, according to an internal memo obtained by the AP and The Washington Post.
The memo warned that in the days leading up to the launch, the system hadn't been sufficiently tested, "exposing a level of uncertainty that can be deemed high risk."
From the text of the memo, the officials didn't appear to have a specific vulnerability in mind. Health and Human Services Secretary Kathleen Sebelius told Congress Wednesday morning that consumers' personal data was safe.
But, as it turns out, there was a specific problem with HealthCare.gov — and in contrast to Sebelius's statements, it definitely did put user data at risk. Ben Simo, an Arizona-based security researcher, discovered as late as last week a flaw in the site that would have allowed an attacker to take over a customer's whole account in the insurance hub.
According to CNN, Simo's report detailed how it was possible to guess a username and have the system confirm it existed. Then he showed how tricking the system's password-reset mechanism could give up a user's e-mail address, unencrypted. A reasonably determined attacker might then be able to use that account information against its owner, finding out the answers to recovery questions and other sensitive information.
What's more, CNN reports, when Simo tried to alert the government, the person on the other end of the line passed him to law enforcement. The security gaps weren't fixed until Oct. 25, nearly a whole month after HealthCare.gov opened for business.