Anthem, one of the largest health insurers in The United States, has announced they have been breached. The company has created the web site http://www.anthemfacts.com/ giving a brief outline of events. While short on details, the Anthem notes, “Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."
The number of records lost is not clear, but the associated FAQ section notes that all product lines of Anthem business were affected, and includes current and former customers and employees. That gives this breach the potential to be in the high tens of millions of records. Media reports indicates the number could be as high as eighty million.
This is the latest in a series of high profile breaches over the last year. Target, Home Depot, and Sony Pictures Entertainment have made headlines.
From The Wall Street Journal, Anthem CIO Thomas Miller said the attack was first detected about a week before the announcement. A database administrator noticed a query running with his ID, and he hadn’t initiated it. They then tracked the activity to an unnamed external storage system used by the attackers. Further investigation will be needed to find-out of if, and how much, data may have been exfiltrated.
Interestingly, the same article mentions Anthem does not expect the attack to affect their 2015 financial outlook. This comes shortly after Sony estimated the cost of their recent breach at a little over $15M. However, it’s remarkably difficult to accurately measure the cost of an attack (outside of consultants bills), especially where brand trust is concerned. It does stand to reason that organizations who store or process sensitive data (healthcare, financial, retailers) will suffer more; wile customers aren’t likely to avoid a movie from Sony Pictures Entertainment because of a breach.
It will be interesting to follow this incident as information emerges. Understanding what was stolen, and how, will likely take some time. While Anthem indicates they are the victim of “a very sophisticated external cyber attack,” I have yet to see a breach announcement where an organization claims to be the victim of a straightforward, preventable attack.
Of course, security is always much easier in retrospect. Large organizations with valuable data do face ever-evolving attacks, collectively referred to as Advanced Persistent Threats (APTs). While compliance standards such as the PCI-DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act) set minimum requirements for securing valuable financial and healthcare data, respectively, they are not a panacea. Often, the standards have difficulty keeping-up with changing environments, including virtualization and public cloud computing.
As information about this breach, and other large-scale breaches, becomes available, it’s wise to consider the security at your own organization; is good enough truly enough?