Unfortunately, the predictions of industry experts that 2015 was going to be another good year for the bad guys has already become accurate as Anthem, the second largest health insurance company in the U.S., revealed that hackers had breached its computer systems.
As these things go this is a big breach. As somebody(s) with malicious intent got access to a database that contains the records of as many as 80 million people, including customers and employees, with the possibility of even more because of Anthem’s extended reach. Anthem has over 37 million members in California and 13 other states, but that number mushrooms according to the company because it has information in its database on other Blue Cross Blue Shield patients from all 50 states who have received healthcare services in its coverage areas.
What we know about the breach
Here is what we know at this early date. Suspicious activity was first noticed and reported Jan. 27. On January 29, an internal investigation verified that the company had been hacked and the cyberattack dated back to unauthorized access, which appears to have commenced on Dec. 10. The time lag is not unusual in such instances because sophisticated attacks by their very nature are designed to evade detection. Plus, this gives hackers time to explore their surroundings before launching their exploits.
In a letter from the desk of Joseph R. Swedish, President and CEO Anthem Inc., it was acknowledged that the database attacked contains such things as names, dates of birth, Social Security numbers, member ID numbers, addresses, phone numbers, email addresses and employment information. The company also said that some of the customer data may include information about their income.
It was also noted that the data breach extended across Anthem's entire business. This means that in the 80 million accounts at risk would include customers at large employers, individual policyholders and people enrolled in Medicaid managed-care plans. The only good news to come out thus far is that it appears no medical records or credit card numbers have been pilfered.
That said, however, the blogosphere is abuzz with experts pointing out that the attack could be a multi-stage one as hackers use the stolen information to be even more pernicious. And, the company’s admission that the information stolen was not encrypted in its database, which (see below) has security experts aghast.
The letter explains that: “Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape… We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.” He concluded with an apology noting that his own account had been compromised.
If there is something positive going on with this attack, at least it is the proactive efforts the company is taking to keep people informed. The list of commercial entities, including tech firms who really should know better, who have been less than transparent when bad things happen is long indeed, and it appears Anthem has learned from the mistakes of others in terms of being proactive and not just reactive. In this regard, Swedish advised the following:
Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind. We have created a dedicated website - www.AnthemFacts.com - where members can access information such as frequent questions and answers. We have also established a dedicated toll-free number that both current and former members can call if they have questions related to this incident. That number is: 1-877-263-7995. As we learn more, we will continually update this website and share that information you.
In fact, the FBI issued a statement about Anthem’s response thus far, saying: "Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances," a statement from the FBI said. "Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible."As others have stated, Anthem has had problems in the past.
The experts weigh in on Anthem’s problems
It should be noted that while Anthem is getting credit for is responsiveness, as mentioned above the company is getting low marks from security experts. Indeed, there has been more than a bit of consternation given the fact that the company, formerly know as Well-Point, had to pay a $1.7 million when an investigation by the U.S. Department of Health and Human Services found the company had exposed the health records of 612,402 people online because of very lax security practices.
As is my custom in covering these events a few words from a sampling of the slew of experts who have shared their opinions and some advice with me are in order.
Mark Bower, VP of Product Management for Voltage Security in early reaction said: "Attackers bypassing traditional perimeter defenses is now routine - and should be expected…The reason is simple: healthcare data is lucrative to monetize and healthcare providers can expect attacks to rise sharply as other industries like retail merchants progressively eliminate exploitable security gaps with data-centric encryption and tokenization. Cybercrime is a business - and attackers swiftly gravitate to the next easy target with advanced malware and exploit tools."
Jason Hart, VP, Cloud Solutions, Identity & Data Protection at Gemalto addressed the encryption issue explaining: “The issue is whether the sensitive stolen information was encrypted. What we see constantly with these types of attacks is that breach prevention and threat monitoring alone will not keep the cyber criminals out. With hacking attempts becoming a common occurrence, being breached is not a question of “if” but “when”...As the average person's risk profile grows, companies need to think about the best way to protect their personal identities with a combination of encryption and authentication. This means using best practice data protection – attaching security directly to the data itself using multi-factor authentication and data encryption, as well as securely managing encryption keys. That way, if the data is stolen, it is useless to the thieves."
Richard Blech is CEO of Secure Channels , a Southern California startup breaking new ground in encryption technology chimed in: “Anthem is, like many of the others that have been breached, reacting to this breach as a after-the-fact afterthought. This is inexcusable as these types of breaches have reached epidemic proportions, so they should have been prepared and this never should have occurred…Simply securing at the perimeter and securing against malware are wholly insufficient in today's highly sophisticated world community of hackers. All sensitive data like this should be enveloped in security with absolute certainty.”
For the moment I will give the last words to Dwayne Melancon, CTO of Tripwire and Tim Erlin, Director of IT Security and Risk Strategy; Melancon commented that: “Individuals who are affected, or potentially affected, should freeze their credit reports immediately with the three major credit bureaus – Equifax, Transunion, and Experian – to reduce the risk that anyone can open new lines of credit in their names. This is also a good reminder that you shouldn’t use any of your personally-identifiable information as answers to your “secret questions” to validate your identity online. Make up your own questions and answers, or use answers that are fictitious but memorable to you to prevent criminals from guessing their way into your online accounts….Beware of any emails or calls regarding this incident as they are almost certainly fraudulent. Remember, the criminals have mailing information, as well. Trust, but verify. “
Erlin may have the most prescient observation: “Anthem’s response so far seems appropriate, but they haven’t yet shared how long they were compromised and when they first discovered the breach. If Sony’s breach warranted a congressional response, there can be little doubt that Anthem will make an appearance on Capitol Hill as well. We can expect this incident to add more fuel to Obama’s cybersecurity initiatives. 2015 could be the year of meaningful cybersecurity legislation.”
So where are we on this one?
Anthem may be doing a good job of being responsive, but it is already clear even without knowing the details that it left itself open to exploitation, and given its history one wonders how much damage to the brand will be inflicted, especially if this really is only round one of a series of attacks. The lack of encryption of the database does as the experts note strain credulity given what is going on in the world.
In addition, if you are an Anthem customer, the cautions outlined should be taken very seriously. You will need to keep a close eye on your credit information, and be extremely wary of emails. It might be a good idea to write down that telephone number (1-877-263-799) and use it as your main source for communicating with Anthem.
Finally, while the NSA may not like “E”verything being encrypted end-to-end, if trust in the massive repositories of our general personal information (which can lead to us being exposed to financial transactional headaches) and our healthcare information (which can be used for all kinds of diabolical activities) can be so easily compromised, the consequences going forward are almost incalculable since e-commerce is based on TRUST.
While companies are hesitant to brag about the security measures they take because they do not wish to tip of the bad guys and issue an invite for an attack, there has to be a way for us to know that the companies we deal with can be trusted before rather than after the fact.
Yes, no security environment failsafe, and yes we as users have security obligations as well. However, as report after report has indicated, the number of IT departments that don’t even bother with many of the best practice basics remains large. The bad guys are very adroit in finding those who have let their guard down and it will only be a matter of time before the next big breach lets us know who they are. The lack of care pointed out recently by SONY and now Anthem should demonstrate to all organizations that the time to assure best practices are being followed is yesterday.