Anthem data breach: Why the data-centric security message needs resuscitating

Davey Winder picks over last week's high-profile Anthem data breach to see what lessons can be learnt from it

Data breach

The second largest health insurer in the United States, Anthem, has fallen victim to a massive data breach, details of which emerged last week.

It is thought that as many as 80 million user records were accessed during the security breach, and the source is said to be an 'acquired' employee password, if the security grapevine is to be believed. If that weren't bad enough, the leaked data - which includes the full names, addresses, dates of birth, medical ID numbers, social security numbers and employment details of the firm's customers - wasn't even encrypted.

With 80 million victims, it's likely that any phishing campaign using credit monitoring as the hook will strike a decent enough number of valid hits to make it profitable.

I'm not getting into who's responsible, with rumours already doing the rounds that state-sponsored Chinese actors are to blame. The truth is that's pretty irrelevant, as the compromised personal information will almost certainly end up on the dark market at some point.

Advertisement - Article continues below
Advertisement - Article continues below

It could be auctioned off to the highest bidder as a single database sale or access to that database could be sold in chunks or rented out. Either way, the end result for the victims is the same: potential fraud on a huge scale. The stolen data is, unlike a credit card, rather difficult to change and could be used for all sorts of scams for many years to come.

The clever criminals will sit on it and wait for media awareness of the breach to die down before striking. Some may strike immediately, but not with the compromised data. Instead, they are taking the scattergun approach and launching large-scale phishing campaigns because Anthem stated it would offer free credit monitoring to affected customers.

With 80 million of these, it's likely that any such campaign using that as the hook will strike a decent enough number of valid hits to make it profitable.

I have to call out Anthem and its stupidity, as far as its IT security smarts are concerned. I've lost count of the number of times I stated that it's not a matter of if but when a breach will occur within your enterprise, and yes that really is the baseline your security posture should be built on.

Only when you've understood this can you create a posture that actually protects your data, protects your customers and protects your reputation.

Anthem obviously didn't get it, because if it had the stolen data would have been encrypted at rest and neutralised, reducing its value to hackers.

Advertisement - Article continues below

How hard can it be to implement a data-centric security strategy in today's threat landscape? How many headlines do you need to read to realise that ensuring a breach yields diddly squat to the attacker is the way forward? How loudly does the IT security community have to shout that DATA IS VALUABLE: PROPERLY ENCRYPTYED DATA IS WORTHLESS?

Sure, get breached and you still have to deal with the fallout of a security failing. You still have to figure out what went wrong, show that you've learned the lessons and fixed the hole in your defences, and communicate all this to your customers and the relevant authorities. The big difference between talking about encrypted data and clear text information is the nature that communication takes and how successful it will be.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020