Perhaps the biggest lesson from the Anthem theft of data is the action being taken by Attorneys General from several major states. Efforts to protect consumers have long been a mission of states. This cyber theft is causing grief to individuals that public officials can’t ignore.
OPM breach results in critical information loss and increases cybersecurity demands.
In addition to Attorneys’ General actions, members of the National Association of Insurance Commissioners requested a multi-state exam of Anthem’s cyber measures. The Insurance Commissioners of states including California, Maine and Indiana are leading this effort.
According to Anthem, the cause was theft of administrators’ identifications and passwords. Other experts speculate that the intrusion occurred as part of the Heartbleed exploit and may have started as early as April, 2014. If either, or both, of these were causes, this wasn’t a “sophisticated” intrusion. Cyber measures exist to protect against both of these situations.
Data stolen included Private Personal Information (PPI) – names, addresses, social security numbers, salary information, employment information, and email addresses. The data was not encrypted, nor was it segregated from other databases. Once someone was able to access other data, it was easy to access the PPI. Eighty million customers were exposed and it is suspected that data of millions of them were stolen. Health data has a high value on the black market, where other criminals purchase the data for their illegal activities.
One trend identified after this theft, as with other recent large thefts, is the preponderance of related scams. Other criminals send bogus emails or make phone calls to customers asking for PPI. They frequently pose as Anthem customer service representatives requesting verification of PPI. Once the crook gets individual credit card numbers or social security numbers, they use the data for illegal transactions.
Anthem seems to have taken action quickly in terms of helping its customers. Hotlines have been established and free credit monitoring services offered. They are working closely with many large employers to help communications with impacted employees.
As an Organization, What You Should Do . . .
1. Review your controls for system administrator access.
2. Encrypt sensitive data
3. Double check that the Heartbleed exploit has been repaired on your system. A recent Cisco survey indicated that over 50% of Heartbleed installations have still not been patched. If your security is not up to date, have a penetration test performed immediately to investigate if hackers are already in your system.