Anthem data breach: Why the data-centric security message needs resuscitating

Davey Winder picks over last week's high-profile Anthem data breach to see what lessons can be learnt from it

Data breach

The second largest health insurer in the United States, Anthem, has fallen victim to a massive data breach, details of which emerged last week.

It is thought that as many as 80 million user records were accessed during the security breach, and the source is said to be an 'acquired' employee password, if the security grapevine is to be believed. If that weren't bad enough, the leaked data - which includes the full names, addresses, dates of birth, medical ID numbers, social security numbers and employment details of the firm's customers - wasn't even encrypted.

Advertisement - Article continues below

With 80 million victims, it's likely that any phishing campaign using credit monitoring as the hook will strike a decent enough number of valid hits to make it profitable.

I'm not getting into who's responsible, with rumours already doing the rounds that state-sponsored Chinese actors are to blame. The truth is that's pretty irrelevant, as the compromised personal information will almost certainly end up on the dark market at some point.

It could be auctioned off to the highest bidder as a single database sale or access to that database could be sold in chunks or rented out. Either way, the end result for the victims is the same: potential fraud on a huge scale. The stolen data is, unlike a credit card, rather difficult to change and could be used for all sorts of scams for many years to come.

Advertisement - Article continues below

The clever criminals will sit on it and wait for media awareness of the breach to die down before striking. Some may strike immediately, but not with the compromised data. Instead, they are taking the scattergun approach and launching large-scale phishing campaigns because Anthem stated it would offer free credit monitoring to affected customers.

Advertisement - Article continues below

With 80 million of these, it's likely that any such campaign using that as the hook will strike a decent enough number of valid hits to make it profitable.

I have to call out Anthem and its stupidity, as far as its IT security smarts are concerned. I've lost count of the number of times I stated that it's not a matter of if but when a breach will occur within your enterprise, and yes that really is the baseline your security posture should be built on.

Only when you've understood this can you create a posture that actually protects your data, protects your customers and protects your reputation.

Anthem obviously didn't get it, because if it had the stolen data would have been encrypted at rest and neutralised, reducing its value to hackers.

How hard can it be to implement a data-centric security strategy in today's threat landscape? How many headlines do you need to read to realise that ensuring a breach yields diddly squat to the attacker is the way forward? How loudly does the IT security community have to shout that DATA IS VALUABLE: PROPERLY ENCRYPTYED DATA IS WORTHLESS?

Advertisement - Article continues below

Sure, get breached and you still have to deal with the fallout of a security failing. You still have to figure out what went wrong, show that you've learned the lessons and fixed the hole in your defences, and communicate all this to your customers and the relevant authorities. The big difference between talking about encrypted data and clear text information is the nature that communication takes and how successful it will be.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020