UPDATE: In a post on Dark Reading, they have added a few more details. The breach, they say, started December 10th, about two months ago. They detected the breach on January 27th and notified customers 8 days later. Compared to other breaches, that is very quick.
While they are calling this by that overused term, advanced persistent threat or APT, the term is probably appropriate in this case because the malware was customized for Anthem. Mandiant, who is working with Anthem, said the bad guys could likely just change the IOCs (indicators of compromise) and sneak it in undetected somewhere else. That is not a pleasant thought for other insurance companies. All of them, no doubt, are looking in the corners and under the beds to see if they have been had as well.
They were able to detect this because of logging – a database administrator noticed unauthorized queries running with admin credentials. Still it took them two months.
Anthem reset all admin passwords when they discovered this (more power to them. In most organizations, if they did that the world would come crashing down upon them). They also disabled all accounts without two factor authentication (at least they had two factor even if they were not using it everywhere).
The question about encryption has been danced around, although, it is fair to say that if the hackers had database admin credentials, encryption would not have protected them.
Insurance Networking News has a pretty detailed article on the Anthem breach. Investigators believe at this point that the breach was state sponsored, likely by China. If true, that means that two of the largest recent breaches (Anthem and Sony) were either conducted by or sponsored by state actors who are, to be kind, not very friendly to the United States.
James Mapes of security consultancy BestIT says that while credit card numbers go for between 10 cents and 25 cents each, stolen medical records go for between $100 and $300 per record.
Up until now, health care organizations did not spend much money on information security since most of their records were paper based. Now, with the mandate for electronic health records, all of that has changed and unfortunately, Anthem got to be the poster child for information security.
Some people are suggesting that Anthem’s data was not encrypted. That would not surprise me given the performance penalty organizations see when they do encrypt large amounts of data. That means, if the bad guys got inside then the only thing that is between them and the data is likely a password.
When you have to do a large number of queries like Anthem has to do in the course of a day, that password is hardcoded into software (worst case) or in configuration data (best case). In both of these cases, once the bad actor is inside, getting to that password is RELATIVELY easy.
Next comes logins. Two factor authentication makes life harder on users, but also harder for hackers. Some people are speculating that the system admins did not need to use two factor authentication. Only time will tell if that was true at Anthem.
Finally, logging. Extensive logging with really smart AUTOMATED analysis would detect if, for example, a credential is being used way more than it should have been or in a place that it was not expected to be used in. It would also tell if data was being exfiltrated either in a volume that was unexpected or too a place that was unexpected. Some people are speculating that the reason Anthem was able to detect the problem themselves was due to excellent analysis and alerting tools.
Sari Greene of Sage Data Security points out this is not an IT problem but a corporate governance problem. Greene said that the Anthem board is likely discussing the breach today, but hopefully, this is not the first discussion with the board.
My guess is that ongoing, meaningful, board level discussion of information risk is still the exception, not the rule. The cost to Anthem is unknown – depending on how much damage the attackers did, how much change is going to be required to reduce the chances of a future attack and the costs related to litigation and fines.
If you take the low end of the value equation, say $100 per record and cut the number of records in half to 40 million, that would make the value to the hackers of the data at around $4 billion. Cut that in half again if you like – say $2 billion.
Like Willie Sutton said, he robbed banks because that is where the money is. Today, the bank that holds the money is a data bank and Willie Sutton done struck again.
Boards MUST get involved, ask the hard questions and apply the resources – which means people and money – or we will continue to have more Anthems.
As I said yesterday, while the life expectancy of breached credit card data is maybe 30-60 days, a stolen social security number can be combined with other data for the rest of your life. That makes them very interesting to the modern day Willie Suttons.