FB pixel

HHS removes Login.gov from grantee payment system after cyberattack

HHS removes Login.gov from grantee payment system after cyberattack
 

The U.S. Department of Health and Human Services has removed Login.gov from its grantee payment platform after a security breach in March of last year resulted in hackers stealing millions of dollars from seven different grantee organizations last year, according to Nextgov.

Using a combination of publicly available information and data from SAM.gov, the federal government’s system that manages award data, bad actors were able to impersonate employees at the organizations affected and changed their banking information in the system, successfully stealing $7.5 million.

In February, HHS installed ID.me in place of Login.gov and Twilio, a third party MFA provider, after the latter failed to protect against the breach. Because technical security controls weren’t bypassed, the agency didn’t categorize the act as a cybersecurity incident after speaking with the Cybersecurity and Infrastructure Security Agency, an HHS spokesperson says to Nextgov.

“HHS’ lack of transparency to Congress and the public regarding this breach is deeply concerning,” said Sen. Bill Cassidy in a written statement. “It not only undermines public trust, but suggests the administration is ill-equipped to protect patients against cyberattacks. It is crucial HHS work with Congress and stakeholders to ensure this kind of incident does not happen again.”

HHS and GSA both maintain that Login.gov was not connected to the theft, as the single sign-on system was only authenticating users for the PMS system. Still, two-factor authentication for the system wasn’t enabled until July of last year.

An HHS spokesperson noted that Login.gov doesn’t currently meet requirements to meet NIST IAL2, an identity proofing standard, while ID.me does. The IRS made the switch to ID.me last year for this reason.

GSA also announced it will add facial recognition to Login.gov in May to meet the NIST standard. Meanwhile, HHSs eliminated the username/password combination sign-in option, now requiring either ID.me or a government PIV or CAC card to sign-in, using its External User Management System (XMS), a federated identity platform.

“HHS is assessing all public facing systems to ensure that identity proofing for federal digital services provided to public consumers aligns with NIST guidance and government-wide [identity credential and access management] requirements,” said the HHS spokesperson to Nextgov.  “HHS will continue to leverage Login.gov where appropriate and expand its use once it becomes capable of IAL2 identity proofing.”

Login.gov awarded eight blanket purchase agreements to major identity proofing companies in March.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Biometric liveness follows growth trajectory of AI threats

Biometrics and liveness detection are the bulwark against a tide of fraud, including sophisticated attacks using generative AI, in many…

 

More US airlines, airports moving toward biometrics for security, baggage

From Denver to Salt Lake City to Dubai, biometrics and digital ID are being activated to improve security and efficiency…

 

Isle of Man govt plans public consultation on introduction of FRT at ports

The Isle of Man continues to debate the introduction of facial recognition and identity documents to boost security at its…

 

Scottish review calls for clearer standards for police in biometric data retention

The Scottish government, in partnership with the Scottish Biometrics Commissioner, has published a detailed review of biometric data retention practices…

 

North Korean mobile service apps rely on facial recognition

North Korean citizens are required to submit face biometrics to subscribe to mobile services through the official apps of North…

 

Integrated Biometrics, GripID release ‘smallest multimodal biometric device’

Shaped and sized like a modern TV remote or an early iPod Nano, the new multimodal biometric scanner from GripID…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events