Congress’ Social Security Numbers Leaked in DC Health Link Hack

In a classic “whoopsie” situation, a health data breach affecting members of the US House of Representatives and their staff exposed social security numbers, names of family members, emails, phone numbers, and home addresses, which are now for sale on the dark web. Senators and their staff were also affected, but reports say only their names and the names of family members were released.

Congress was informed of the breach this week, which apparently stemmed from a security incident with DC Health Link, Washington’s government health insurance marketplace.

“DC Health Link suffered a significant data breach,” said Catherine Szpindor, the chief administrative officer of the House of Representatives in a letter to her Capital Hill coworkers, according to the Washington Post. Exact details about the size of the breach weren’t available, but according to the FBI data about hundreds of politicians and staffers was stolen.

The juiciest part of the story comes from details in the AP’s report on the breach. The AP says it chatted with a black-data reseller on an “online crime forum” who said they have data from 170,000 DC Health Link customers for sale. The data monger said they were acting as a middleman on behalf of a shadowy figure named “thekilob,” which you have to admit is a pretty cool-sounding name for an internet bad guy.

The AP couldn’t get a figure on how much thekilob wants for their data horde, which could mean they’re open to haggling, or perhaps a high-stakes game of data rock paper scissors. Personally, I’d recommend best of three and open with rock.

The dark web denizen posted a sample of the data for 12 of the health breach victims. The AP used one of the sample phone numbers to call one of these poor schmucks, who responded “Oh my God.” All dozen people in the free data sample work for the same company or are family members.

According to the AP, the weirdo selling the data set online claimed that it was stolen on Monday. They wouldn’t say whether they were involved in the theft, or if they had purchased the data set and were now trying to turn it around for a profit.

In a classic “whoopsie” situation, a health data breach affecting members of the US House of Representatives and their staff exposed social security numbers, names of family members, emails, phone numbers, and home addresses, which are now for sale on the dark web. Senators and their staff were also affected, but reports say only their names and the names of family members were released.

Congress was informed of the breach this week, which apparently stemmed from a security incident with DC Health Link, Washington’s government health insurance marketplace.

“DC Health Link suffered a significant data breach,” said Catherine Szpindor, the chief administrative officer of the House of Representatives in a letter to her Capital Hill coworkers, according to the Washington Post. Exact details about the size of the breach weren’t available, but according to the FBI data about hundreds of politicians and staffers was stolen.

The juiciest part of the story comes from details in the AP’s report on the breach. The AP says it chatted with a black-data reseller on an “online crime forum” who said they have data from 170,000 DC Health Link customers for sale. The data monger said they were acting as a middleman on behalf of a shadowy figure named “thekilob,” which you have to admit is a pretty cool-sounding name for an internet bad guy.

The AP couldn’t get a figure on how much thekilob wants for their data horde, which could mean they’re open to haggling, or perhaps a high-stakes game of data rock paper scissors. Personally, I’d recommend best of three and open with rock.

The dark web denizen posted a sample of the data for 12 of the health breach victims. The AP used one of the sample phone numbers to call one of these poor schmucks, who responded “Oh my God.” All dozen people in the free data sample work for the same company or are family members.

According to the AP, the weirdo selling the data set online claimed that it was stolen on Monday. They wouldn’t say whether they were involved in the theft, or if they had purchased the data set and were now trying to turn it around for a profit.