How would I know it was your birthday? Well, I don’t, but the hackers who stole personal data from Anthem sure know. It has been estimated that nearly 80 million people may have been affected by this latest security breach. What was stolen? Just social security numbers, date of birth, employment information, phone numbers, addresses, you know just the things you need to secure credit in the U.S.
Anthem claims there is no evidence that medical records have been compromised, but last time I asked for my CT scans, all it took was my name, SSN, date of birth, and my signature to get my hands on them. So if the hackers found something useful in the medical records, perhaps these could been compromised, as well.
Beyond the impact to our privacy, I’d like to explore why this keep happening and explore what may be necessary to end these damaging, high-profile breaches. Target, Home Depot, and a number of financial institutes in the past have all succumbed to cyber-attacks. I wrote a lengthy blog about Target last year, when it suffered its own cyber-attack. What is different between the attacks of the big retailers and the attack on Anthem? Honestly, not much. Each was orchestrated by a team of hackers, who some have called, “sophisticated”, to steal credentials of personnel and collect the data. The disturbing part is the amount of personal information that is thought to have been stolen.
According to guidelines, outlined in the HIPAA ‘Security Rule’: “The covered entity (in this case, Anthem) must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.”
Although I haven’t spoken to Anthem, I would bet the organization is in compliance. But what does this matter when log-in information is stolen from someone with credentials to access data within a particular system. Whether or not that data was encrypted seems immaterial.
In an article entitled, ‘Anthem: how does a breach like this happen?’ by CSO Staff Writer, Steve Ragan, John Zurawski, a VP at Authentify raises an intriguing issue, “It will be interesting to discover of what exactly the DBA’s credentials consisted. If they were simply a username and a password, shame on Anthem. Even President Obama has figured out that systems containing PII (personally identifiable information) need two-factor authentication, and said so in his Presidential cyber security directive.”
If we do not take these new attacks seriously, and employ the right tiers of security, we will continue to see things like this pop up. In his piece Ragan speculates that this could have been a result of a “phishing” campaign launched by the hackers, who he says were very persistent, so persistent that they were able to compromise the credentials of five Anthem employees.
One could categorize this type of hacking as social engineering, similar to those employed by Kevin Mitnik back in the late 80s and 90s. Incidentally Mitnik was eventually convicted of hacking into a number of computer systems. But all this only strengthens my conviction that data is much easier to restore than customer loyalty and trust.
So what is the answer? Well it’s clear that we can no longer just sit back and wait for a breach to happen, because once it does it has a huge ripple effect. Although there is no appetite for more government regulations that force companies to comply with stricter security policies, I believe – sadly – that is where we may be heading. I say this through a personal experience, from the 1980s and early 90s. Where I grew up, in the mid-western area of the U.S., it was commonplace for local paper mills to dump its chemical waste into water sources, which fed into the Mississippi River. These companies knew it was wrong, but also knew it was cheaper to pay the fines, if/when they were caught, than to do the right thing from the start. It wasn’t until the federal government and the state of Wisconsin filed lawsuits against nine paper companies and two local municipalities that behaviors and actions began to change.
Something has to change; those of us who are trusted to maintain the security of digital information must take the right steps to ensure the safety of that digital information. I’m holding my breath on the next one that we’ll hear about. I hope that I am wrong but if there is one thing I have learned about hackers, they can be persistent.
-Chapa, signing off