Another Blue Cross Hacked Undetected For Over 18 Months

Excellus Blue Cross Blue Shield revealed that it has been hacked.  Excellus did not detect it had been hacked at all.  In fact, it was not until they hired Mandiant to do an audit in the wake of the other Blue Cross hacks that they found out that they had been hacked.

The data of over 10 million customers and other individuals who’s data they held is at risk.  The breach is believed to have started in December 2013 and was not discovered until August 2015.

In this case, the data was encrypted, but that fact was irrelevant because the hackers masqueraded as a legitimate user.  As a result, the system decrypted the data for the hackers. This is the drawback of transparent encryption. It is convenient for the users, but is only useful if the computer is stolen while powered off.

The data taken ranges from names and addresses to birthdates and socials to financial information, claims data and clinical information.  In other words – everything that they could have possibly taken, they took.

Excellus says that “our investigation has not determined that any data was removed from our systems”.

This breach points to several things :

  • Encryption is not a silver bullet, especially transparent encryption where the system keeps the keys for the user.  If the hacker comes in as a legitimate user, the system decrypts the data for the hacker.
  • Lack of partitioning of the data allows a hacker to steal everything once they get in.  It would appear that whatever credentials that the hacker got gave them access to everything Excellus stored.
  • It would appear that they were not using two factor authentication.  Two factor is inconvenient for users, so most businesses won’t implement it.   However, it is also inconvenient for hackers.
  • Reading between the lines, since they don’t know if data was removed, I would guess that their audit logs were inadequate – either not enough logs or not stored for long enough.
  • They did not even know that they were hacked until someone told them they were.  This is actually quite common, unfortunately.  This means that their real time breach detection was lacking.

This poor job of information risk management will likely cost them millions  – from Mandiant’s fee (typically $300-$500 per hour per consultant), to fines, to the cost of credit monitoring, to lost customers.

Once again, you can pay me now or pay me later.  Take your pick.

Information for this post came from Data Breach Today.

Leave a Reply

Your email address will not be published.