Reactions to the extensive Anthem data breach

Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals.

Here are some of the comments Help Net Security received:

Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre

This is potentially a significant breach with the personal details of millions of Anthem customers now in the hands of criminals. While Anthem claim there is no evidence that financial or medial data belonging to their customers has been exposed, the information compromised is enough for criminals to commit identity theft.

Late last year the FBI warned US Healthcare providers that criminals were targeting healthcare data as criminals can abuse the personal details of individuals to make fake medical claims, purchase drugs or medical equipment which can then be sold.

Recent analysis of the cybercrime underground market places shows that medical data is worth about $10 per record, which is roughly ten times more than credit card data. While it is important for Anthem and law enforcement to identify who is behind the attack I hope that how the breach occurred will be shared with other healthcare providers to ensure similar attacks don’t succeed against them.

It is disappointing to note that there is no message on Anthem’s home page about the security breach to inform affected customers. Instead, there is a website called anthemfacts.com which hosts a letter and a FAQ on the breach. Interesting to note that while the letter on that site does not mention when the breach was discovered the domain itself was registered back in December 2014.

Thom Langford, Director of Sapient’s Global Security Office

As is so often the case in these incidents, the act and consequences has been reported before the full facts are known. No doubt there will be calls for the CISO and CIO’s heads to roll, even though they may have been actively working hard to avoid just such an incident.

This of course doesn’t make the situation any better or easier to deal with. Various pundits will no doubt talk about the technologies that should have been put in place, procedures, training and awareness etc., but ultimately it comes down to the business itself not recognizing the true value of the data that was stolen and applying the right resources to protect it. That may be money, technology, people, or possibly even a new CISO.

Charles Sweeney, CEO at Bloxx

That no financial or medical information has been stolen is clearly a good thing. However, a substantial about of personal information has been compromised in this attack and Anthem’s customer’s would be right to worry about identity theft. These details taken be all someone would need in order to set up a utility bill in your name, secure a mobile phone contract and register for a whole host of services.

Translate that into the digital world and the stakes are significantly upped. We have so many different profiles that it can be hard to keep track of them all. This creates a window of opportunity for someone with malicious intent to capitalize on. Whilst your CVC number might not have been stolen, what are you most concerned about – that (where in the majority of cases the banks have processes in place to recoup your losses) or your Facebook log in being stolen? For a lot of people it would most definitely be the latter. Our social profile is in many ways to set of virtual keys to our lives.

Companies that store our data have a responsibility to keep it – all of it – safe. This is becoming increasingly hard in the face of persistent and increasingly sophisticated attacks, but the default reaction that no financial information was stolen is no longer good enough. All data has a value and as such, no data is OK to lose.

Sergio Galindo, General Manager at GFI Software

The healthcare sector, particularly in the US where patient records are electronic, has been a cause for concern in the industry given the significantly high value placed on the data held by healthcare bodies about patients – social security numbers, addresses, payment data, not to mention the actual health history itself. In the hands of criminals, this data can sell for substantial amounts, in many cases a healthcare record is worth 10 times more than a basic set of credit card details in criminal circles.

However, there is also another consideration, the value of healthcare records relating to children. Security numbers do not change, so in the case of the children, who do not have a credit history yet, their ID is currently clean and will become a target in future. Stealing the data today and sitting on it for five or 10 years makes a lot of sense. Adults are afforded a degree of protection from identity thefts, but children are not really covered in the same way. Breaches like the one at Anthem will likely continue as criminals look to mine a rich seam of data that, once the owners reach adulthood, can be exploited for significant gain.

Per Thorsheim, Independent Information Security Advisor, founder of PasswordsCon

From a Norwegian, perhaps European, point of view, I am surprised that this type of attack hasn’t happened, or at least hasn’t been disclosed to the public in Europe. As far as I can tell, the type of information currently exposed in this attack seems more valuable from a seller’s point of view in the US compared to Europe.

Currently there is very little information available about this breach at Anthem Inc., but I wouldn’t be surprised if the “very sophisticated external cyber attack” statement will turn into “same weaknesses and vulnerabilities used all over again. And again.

Lee Weiner, SVP Products and Engineering, Rapid7

The FBI has commended Anthem for its quick response to this breach. Being able to detect and address a security incident quickly is a huge challenge and can make all the difference in terms of the impact and ability to pursue the culprits. Based on the limited information available, it sounds like Anthem discovered the problem pretty quickly and was able to move fast in confirming an incident and calling in support from law enforcement and information security responders.

Current and former Anthem members should be vigilant for so-called “piggy back” attacks – criminals leveraging concerns over the Anthem breach to launch social engineering attacks that target Anthem members. These would likely be in the form of emails or calls designed to trick worried consumers into taking an action or sharing confidential information such as financial details. Consumers should be suspicious of any unsolicited calls or emails – don’t click on links, or provide personal information over the phone or email. If you get a call, offer to call back and use your search engine to find the appropriate number. Do likewise for any emails.

For organizations who may employee individuals whose personal information was stolen may also want to take additional precautions as employees often use the same login credentials across corporate and personal websites. No mention of stolen passwords has been noted, but organizations may still want to exercise caution and ask affected employees to change their passwords for any corporate access and applications.

Adam Meyer, Chief Security Strategist at SurfWatch Labs

Anthem discovered the attack when a database administrator noticed unauthorized queries running with admin credentials. Data exfiltration was performed through an external web storage provider “commonly used by U.S. companies,” which suggests a service such as Google Cloud, Microsoft One Drive, or Dropbox was utilized to reduce chances of detection.

Early statements indicate that Protected Health Information (PHI) was not included in the stolen data in which case HIPAA regulations would not apply to this incident. The breach will definitely garner a great deal of attention however and that could hurt Anthem’s reputation with customers and the public.

We don’t know the origin or identities of the attackers but an attack this size is likely financially motivated. Social Security numbers typically sell on black market sites for $3-$5. Investigators have not yet found Anthem data for sale online.

Because this breach is in the early stages of forensics, recommended actions at this point are general in nature. Upon discovery, Anthem reset all passwords with privileged access across their environment and disabled accounts without two-factor authentication. Statements indicating that the company immediately made every effort to close the security vulnerability suggest that a known vulnerability was exploited in the corporate web environment or that a payload was delivered via spear phishing to employees but was easily corrected once identified as the point of entry. Data was exfiltrated to a known cloud storage provider likely utilizing authorized credentials.

Right now, concerned organizations should:

• Instruct the CIO to conduct a review of database activity in their environment and the account activities of privileged users
• Review network traffic logs to identify any activity resembling abnormal cloud storage activity
• Review the vulnerability management posture of web services as well as workstations for individuals with privileged accounts.

Dwayne Melancon, CTO, Tripwire

Constant vigilance is the watchword for cybersecurity, and this breach demonstrates that any company with information of value can be a target – not just those with credit card numbers. Regardless of the sector, the precautions are consistent – understand what software and systems you have, configure them securely, and understand how they’re vulnerable. And since the threat landscape changes constantly, enterprises must be able to continuously evaluate where the stand and fix security holes as soon as they find them. That can be difficult for any organization, and giving attackers the smallest foothold can result in huge consequences.

Individuals who are affected, or potentially affected, should freeze their credit reports immediately with the three major credit bureaus – Equifax, Transunion, and Experian – to reduce the risk that anyone can open new lines of credit in their names. This is also a good reminder that you shouldn’t use any of your personally-identifiable information as answers to your “secret questions” to validate your identity online. Make up your own questions and answers, or use answers that are fictitious but memorable to you to prevent criminals from guessing their way into your online accounts.

Finally, beware of any emails or calls regarding this incident as they are almost certainly fraudulent. Kudos to Anthem for announcing they will notify the affected customers via mail – that is much harder to spoof. Nonetheless, be on the lookout for potentially fraudulent requests for information requested by mail – remember, the criminals have mailing information, as well. Trust, but verify.

Jaime Blasco, VP and Chief Scientist of AlienVault

If confirmed, we are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry. If you are wondering what it means for individuals, in a few words: it is a nightmare. If the attackers had access to names, birthdays, addresses and social security numbers, it means that information can be easily used to carry out identity theft schemes.

It is yet unclear who is behind the attack, but if the group behind that compromised Anthem and plans to sell that information on the black market, it means cybercriminals can buy access to the stolen data and use that information to drain your bank account, open new credit accounts and telephone accounts or even utility accounts. They can even obtain medical care using your information.