Utah state information was not encrypted and did not have hardened passwords.
Speaking to Deseret News, Stephen Fletcher – who was director of the US state's Department of Technology Services, until he was asked to resign last Tuesday – admitted that there had been a "huge increase in the number of attacks against state systems", specifically by 600 per cent in the past four months.
His replacement, Mark VanOrden, said more than one human error was to blame for the health information of nearly 800,000 Utah citizens falling into untrusted hands, but admitted that it was hard to expect employees to memorise at least 100 pages of policy.
He said that Utah's Medicaid Management Information System was not protected by a firewall as it was upgrading on the date when hackers first gained access to the server. VanOrden also admitted that a process to ensure that new servers are monitored and a risk assessment performed prior to use was not followed.
“Ninety-nine percent of the state's data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords,” VanOrden said.
VanOrden said he will tighten security among personnel, including the use of a possible checklist for any time a change is made to information stored on any of the state's 2,000 servers, and immediate termination for anyone who accesses information not pertinent to their jobs.
On 30 March, attackers began siphoning the names, addresses, birth dates and other personal information of 500,000 Utah residents. The attackers were also able to exfiltrate that data and the social security numbers of 280,000 additional residents.