The Consequences and Impact of the Anthem Data Breach
My first and primary concern today is for the Anthem customers in Indiana and throughout the nation who are victims of this cyber attack. I encourage them to utilize the resources provided by Anthem to learn more about this unfortunate situation and to better educate themselves on steps they can take to mitigate its impact.
Cyber attacks are a grave national security concern that must be combated with a powerful sense of urgency and real action. These attacks threaten the personal identities of American consumers and the health of our economy. Too many Americans have less peace of mind because of this looming threat.
I’ve worked on this issue as a U.S. Attorney, former member of the House Committee on Homeland Security and now as a member of the House Energy and Commerce Committee. I am committed to working across the aisle to find solutions that better coordinate efforts between stakeholders and balance privacy concerns with pressing security needs. This is a challenge that must be met head-on.
Anthem, one of the largest health insurers in the US, was the victim of a data breach. Key indicators of compromise started being noticed by the Anthem team late last week. The breached database server hosted personal information (Names, Birthdays, Address, Email, Employment information and Social Security Numbers) on over 80 million individuals. According to the company there was no credit card information, medical history, diagnosis or treatment data stolen. The data was tracked to the abuse of a credentialed user of the database. This points to a targeted attack that was focused on Anthem. Without any investigative intelligence from the inside I can theorize that a phishing email campaign was launched in which a user downloaded malicious code.
Anthem says it contacted the FBI immediately after it discovered the attack, and has commissioned cybersecurity firm Mandiant to evaluate its systems. According to one of the team members the Anthem attack was “sophisticated” and used techniques that appeared to have been customized, rather than broadly available tools, and were “very advanced.” Investigators haven’t yet concluded who was behind the Anthem breach.
President and CEO Joseph Swedish has promised that Anthem will contact all affected members whose information had been compromised, and provide them with free credit monitoring and identity protection services.
If 2014 was the ‘year of breaches’, obviously 2015 is set up as the year of ‘more breaches’. The Anthem breach should be a pointer to all those not yet in the ‘breach club’ to wake up to the new era of cybersecurity and what’s at stake. It’s obvious to the attackers that such breaches can be done – repeatedly and they won’t stop. If you’re an organization that holds sensitive data of its customers or affiliates, ensure that your response to this attack changes from ‘Thank heavens it wasn’t us’ to ‘What if it were us?’ and work relentlessly to avoid such data breaches.
Large institutions such as Anthem are under constant attack. Why? Simply put, the attackers have nothing to lose due to the loose boundaries of the internet and lack of internet laws. Most large organizations are ‘hackable’ due to the fallible nature of humans at work, and outdated security controls and/or inefficient security practices. The key driver behind most of such attacks is obviously financially motivated. Attackers typically want to steal either credit card information or identity of the victims.
In this case, Anthem has acknowledged that personal data was stolen. So, obviously, there was a gap in their controls that led the attackers into their sensitive networks. Internal networks should be designed with the expectation that at some point the end users will get infected, so basic principles such as segmentation of network are important. Adequate controls should be put on servers hosting sensitive information so that incident response can be quick. In this case, the attackers managed to steal information, so evidently the exfiltration went undetected for sometime – which was enough.
Given the nature of details disclosed by Anthem, affected individuals should watch out for identity theft scams. The issue is hot right now, so the attackers are likely to move fast in the upcoming weeks to sell this data in the underground.
It is Anthem’s responsibility for protecting their customers’ sensitive data that was entrusted with them. Giving a timely response to their customers is the least that is expected in such situations. It is yet to be ascertained on the damage done already, we’ll soon find out.
Though this is now said to be the largest data breach in the health care industry, unfortunately it is unlikely to be the last. No details are available yet about how the breach at Anthem occurred, however, from other breaches we have learned that often the security is breached by a targeted spear phishing email attack that is used to plant malware or to entice the recipient to provide credentials that can then be used to gain access to systems. The breach could occur at the company itself, but we have also seen breaches where the actual attack occurred at a supplier through which access was gained to the company’s procurement system.
Anthem should be commended for notifying the FBI so promptly about the breach. Fast and appropriate action could mean that the attackers have not yet been able to cover their tracks.
In order to protect against targeted email attacks, a multi-layered approach is recommended. Conventional email security systems need to be reinforced by implementing an anti-malware solution that uses multiple antivirus engines to scan email attachments, greatly increasing the likelihood that malware is detected, as well as countering threats targeted to bypass a specific engine’s detection capabilities. Document sanitization, where files are converted to a different format and any embedded scripts are removed, acts as another security layer by defusing any possible hidden threats in email attachments that might go undetected by antivirus engines. Employee training on how to detect phishing attacks is also highly recommended, although it is important to be aware that spear phishing attacks are becoming more and more sophisticated and can fool even the most tech-savvy employees.
Attackers bypassing traditional perimeter defenses is now routine – and should be expected. The best defense strategy now is to neutralize sensitive data so that a breach yields nothing in the event of compromise. Leading healthcare entities are already embracing data-centric security to prevent this type of breach yielding valuable data when attacked. The reason is simple : Healthcare data is lucrative to monetize and healthcare providers can expect attacks to rise sharply as other industries like retail merchants progressively eliminate exploitable security gaps with data-centric encryption and tokenization. Cybercrime is a business – and attackers swiftly gravitate to the next easy target with advanced malware and exploit tools.
Constant vigilance is the watchword for cybersecurity, and this breach demonstrates that any company with information of value can be a target – not just those with credit card numbers. Regardless of the sector, the precautions are consistent – understand what software and systems you have, configure them securely, and understand how they’re vulnerable. And since the threat landscape changes constantly, enterprises must be able to continuously evaluate where they stand, and fix security holes as soon as they find them. That can be difficult for any organization, and giving attackers the smallest foothold can result in huge consequences.
Individuals who are affected, or potentially affected, should freeze their credit reports immediately with the three major credit bureaus – Equifax, Transunion, and Experian – to reduce the risk that anyone can open new lines of credit in their names. This is also a good reminder that you shouldn’t use any of your personally identifiable information as answers to your “secret questions” to validate your identity online. Make up your own questions and answers, or use answers that are fictitious, but memorable to you to prevent criminals from guessing their way into your online accounts.
Finally, beware of any emails or calls regarding this incident as they are almost certainly fraudulent. Kudos to Anthem for announcing they will notify the affected customers via mail – that is much harder to spoof. Nonetheless, be on the lookout for potentially fraudulent requests for information requested by mail – remember, the criminals have mailing information, as well. Trust, but verify.