When do default passwords become a configuration error?
The answer is when your Legal department is managing the fallout after a data breach. The case in point is the Utah Department of Health which announced this week that over 280,000 records belonging to Medicaid and CHIP recipients were compromised after a breach last week believed to be perpetrated by a group in Eastern Europe (http://www.health.utah.gov/databreach).
The group exported 25,000 files containing personal information including social security numbers, belonging to hundred of thousands of individuals. According to the Department, the breach was caused by “a configuration error at the authentication level of a server’s multilayer security system.” This seems like a rather euphemistic way of saying the server had a default password that the attackers were able to exploit. The Department states that it has implemented ‘corrective measures’ which presumably includes changing the password. It has also offered free credit monitoring for those effected by the breach.
To learn how to manage default users and passwords in SAP systems, download our free white paper at http://layersevensecurity.com/SAP_security_white_papers.html.