FB pixel

HHS removes Login.gov from grantee payment system after cyberattack

HHS removes Login.gov from grantee payment system after cyberattack
 

The U.S. Department of Health and Human Services has removed Login.gov from its grantee payment platform after a security breach in March of last year resulted in hackers stealing millions of dollars from seven different grantee organizations last year, according to Nextgov.

Using a combination of publicly available information and data from SAM.gov, the federal government’s system that manages award data, bad actors were able to impersonate employees at the organizations affected and changed their banking information in the system, successfully stealing $7.5 million.

In February, HHS installed ID.me in place of Login.gov and Twilio, a third party MFA provider, after the latter failed to protect against the breach. Because technical security controls weren’t bypassed, the agency didn’t categorize the act as a cybersecurity incident after speaking with the Cybersecurity and Infrastructure Security Agency, an HHS spokesperson says to Nextgov.

“HHS’ lack of transparency to Congress and the public regarding this breach is deeply concerning,” said Sen. Bill Cassidy in a written statement. “It not only undermines public trust, but suggests the administration is ill-equipped to protect patients against cyberattacks. It is crucial HHS work with Congress and stakeholders to ensure this kind of incident does not happen again.”

HHS and GSA both maintain that Login.gov was not connected to the theft, as the single sign-on system was only authenticating users for the PMS system. Still, two-factor authentication for the system wasn’t enabled until July of last year.

An HHS spokesperson noted that Login.gov doesn’t currently meet requirements to meet NIST IAL2, an identity proofing standard, while ID.me does. The IRS made the switch to ID.me last year for this reason.

GSA also announced it will add facial recognition to Login.gov in May to meet the NIST standard. Meanwhile, HHSs eliminated the username/password combination sign-in option, now requiring either ID.me or a government PIV or CAC card to sign-in, using its External User Management System (XMS), a federated identity platform.

“HHS is assessing all public facing systems to ensure that identity proofing for federal digital services provided to public consumers aligns with NIST guidance and government-wide [identity credential and access management] requirements,” said the HHS spokesperson to Nextgov.  “HHS will continue to leverage Login.gov where appropriate and expand its use once it becomes capable of IAL2 identity proofing.”

Login.gov awarded eight blanket purchase agreements to major identity proofing companies in March.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics upgrades arriving at borders (but check the schedule for updates)

New biometric technology is coming to borders in Europe and the UK, but as reflected in several of Biometric Update’s…

 

What is the killer app for verifiable credentials? Daon, Dock and Youverse discuss

Industries such as financial services, healthcare, transport, government and more are increasingly adopting digital verifiable credentials connected to biometrics. Their…

 

Veteran biometrics leaders join FaceTec, Credence, ID.me adds ex-Meta exec

The latest round of appointments in the biometrics and identity management sector includes a former leader of federal government sales…

 

EU announces phased approach for EES

The European Union has proposed a progressive introduction of its biometric traveler registration scheme, the Entry-Exit System (EES). On Wednesday,…

 

Drowsy drivers to get AI-assisted safety prompts

Fatigued drivers are one of the most common hazards on the road, but sleepy-heads on commercial wheels are to get…

 

Chameleon AI masks faces from scraping while preserving image quality

If the first wave of the current AI deluge created complicated challenges, the second wave has often been about using…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events