The first thing I do in the morning when I reach the office is check my email. Today, I received this email from Anthem before I even saw the news:
I have to give Anthem credit. I learned about the breach directly from the CEO before all the hype and speculation hit. This is the level of caring and responsibility I personally expect as an Anthem customer. So now that the news is out there, let’s talk about the technical aspects of the breach.
The news media has been quick to latch onto information regarding the Anthem breach. Few details have been publicly released, except that suspicious database activity occurred a little over a week ago and that law enforcement (FBI) was notified of the breach. FireEye (Mandiant) has been contracted to assist in the investigation, and early reports suggest the attack originated from China.
This leads to the obvious questions of what was taken and what wasn’t touched:
names, birthdays, medical ID’s, social security numbers, addresses, email addresses, employment information, and income
Data Not Disclosed:
medical records, credit cards, current and previous subscribers
So we have a breach that affected 80 million people. Which iron-fisted government penalty or oversight will Anthem have to endure? That is a huge unknown. Because no actual medical information was stolen, the 1996 HIPAA (Health Insurance Portability and Accountability Act) is not applicable – even though Anthem is a healthcare provider. Since no credit card information was stolen, PCI regulations don’t apply either.
At first glance, Anthem’s inability to secure Personally Identifiable Information (PII) is not in clear violation of major compliance and regulatory initiatives. However, I would argue that my PII is more valuable than my medical records since it can be used for very targeted attacks – especially when combined with my employer information. This was a sophisticated attack looking for specific information, and the attackers clearly found what they were looking for.
So what’s next? Well, the headlines have just begun, and more details are sure to come to light. For instance, we’ll hopefully learn how an external attacker became an internal threat, as well as which vulnerabilities and privileges where leveraged to gain access to Anthem’s database. In addition, expect more focus on privileges since only a user with elevated access could have been making these queries to the Anthem database and funneling the information out.
There is no solution that can prevent all types of threats. However, best practices can make a significant difference. At BeyondTrust, we have several solutions that potentially could have identified or stopped this threat from occurring in the first place:
Stay tuned to the BeyondTrust Blog for more information on the Anthem breach and what you can do to reduce your organization’s risk of similar security incidents.