Stolen credentials and no MFA.....

Let's break this down:

Username ✔️
Password ✔️
......no multi factor ?

They are in the system, for 10 days before serious damage erupts.

10 days?

What security posture allows a threat actor to browse, investigate, and surf about for 10 days undetected?

Harsh question. I don't envy the stress at Change Healthcare. Hindsight is always 20/20 of course.

This is just 1 huge reminder that if you're still a member of #itwonthappentome just remember, that cost Change Healthcare a self reported 892 million. Oh and the PHI of 1/3 of the country.... which they did not get back.

Harden the Target, stay Vigilant!

Reflections on article tagged below: