Reporting about data breaches—at major retailers, financial services institutions, insurers and unfortunately a host of large enterprises in other vertical markets where vast amounts of personal information are stored— has become so commonplace that it is almost no longer news.  However, the disclosure that Mountlake Terrace, Washington-based health insurer Premera Blue Cross was the latest victim is something altogether new; it is extremely ominous in terms of the information, about an estimated 11 million customers, that was compromised.

It appears the attackers gained access to customer info which included not just names, dates of birth, Social Security numbers and bank account information, but also claims information, including clinical information all of which dates as far back as 2002.

The 11 million customers at risk are customers of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and of affiliate brands Vivacity and Connexion Insurance Solutions, Inc. These cover mostly customers in Washington State and Alaska; however, Premera explained that other Blue Cross and Blue Shield plans whose members sought treatment in those states were potential victims as well.  In short, this is not a small breach even if it seems that way in comparison to the recent breach of healthcare insurance giant Anthem which has the potential to impact almost 80 million customers. 

Second is that while Premera said it discovered the attack on January 29, 2015 it indicated that the initial attack occurred May, 5 2014.  In short, as many security professionals have stated, that is way too long to have discovered this.  That said, thus far the company, which has hired cybersecurity firm Mandiant in coordination with the FBI, says it believes that no information that was at risk appears to have yet been used for nefarious reasons.

Premera was not exactly quick to post a message, but once the news could no longer be contained it did a relatively good job of explaining the situation.  In a posting on its site, which includes a video from President and CEO, Jeff Roe, the attack is described along with the steps Premera is taking. Part of the message to policy holders is as follows:

“We’re making available two years of free credit monitoring and identity protection services to anyone affected by this incident. As well as providing more information on this site. If you've been affected, you'll receive a letter from us with more information. Premera won't email you or make unsolicited phone calls to you regarding this incident. Please be on the alert if you are contacted and asked to provide personal information.”

The company was also careful to explain that as of now it is not aware of compromised data being used by hackers to perpetrate further mischief.

What sets this breach apart from previous ones is the hackers’ ability to gain access to claims and medical records.  It puts the bad guys in position to broaden their monetization of stolen information beyond just credit card fraud. In fact, the fear is that the compromising of highly sensitive medical records opens up new possibilities for what is commonly called “ransomware.”  In a word, YIKES!

The security experts react

As you might expect my inbox was flooded with comments from security industry experts.  Two examples are illustrative of their thoughts on the subject.

Jonathan Sander, strategy & research officer, STEALTHbits Technologies, Inc. (www.stealthbits.com),  observed: “Following the Anthem breach, we now have another health care breach at Premera, which makes sense since the black market value of medical records is so high. Medical records are rich in information that can be used for very profitable health care fraud as well as all the traditional scams that stolen data has powered. What’s particularly interesting is that the wave of phishing attacks that followed the Anthem breach has taught Premera a lesson. Premera is stressing that their customers should not reply to emails or open attachments that come from people contacting them about the breach. We’ve seen the birth of a whole new kind of attack that leverages the headlines about breaches to attempt even more breaches in their wake.”

Tim Erlin, director of product management, IT security and risk strategy at Tripwire (www.tripwire.com), said: “When the Anthem breach hit, many in the security industry were well aware they were not alone. Organized criminal syndicates targeting this type of data don’t target one organization, they target an entire industry. Many of the vulnerabilities or security lapses found in one organization are likely to appear in multiple organizations in that same industry. The Premera breach could be much worse for those who are victims as it includes not just information to commit credit fraud, but also medical fraud and potentially sensitive information about medical conditions. 

The fact the breach went undiscovered for seven months indicates that the institution did not have proper detective controls in place to identify an attacker was inside the network. The fact both Anthem and Premera discovered the breaches on the same day indicates to me that it was law enforcement that tipped them off to the data being compromised and believe we will see other organizations that were also breached during this timeframe.” 

The message to policyholders uses the term “sophisticated attack.”  This is an apt description.  That said, it does highlight the point that has been made by many security experts when these things happen.  Hackers like to find the weakest link in what is an expanding attack plane. Once “in” they are patient in looking around so they can get to and compromise the vault that has the highest value.  This is why early detection has become paramount and why detailed visibility in real-time to prevent not just north-south attacks but those that are internal and east-west has emerged as a deterrent that is receiving intense interest. 

What is hopefully going to emerge from the Premera breach are lessons learned.  If non-information technology C-levels have not gotten the message about investing in better detection tools than shame on them.

In regards to the headline, while breaches are hardly a laughing matter, it does seem that the 1965 hit song, “Catch us if you can,” from British rockers Dave Clark Five sums up where we are right now:

Here they come again, mmmm-mm-mm
Catch us if you can, mmmm-mm-mm
Time to get a move on, mmmm-mm-mm
We will yell with all of our might

Catch us if you can
Catch us if you can
Catch us if you can
Catch us if you can    

Let’s hope the good guys can and do.