In-depth

Anthem data breach: Why the data-centric security message needs resuscitating

Davey Winder picks over last week's high-profile Anthem data breach to see what lessons can be learnt from it

Data breach

The second largest health insurer in the United States, Anthem, has fallen victim to a massive data breach, details of which emerged last week.

It is thought that as many as 80 million user records were accessed during the security breach, and the source is said to be an 'acquired' employee password, if the security grapevine is to be believed. If that weren't bad enough, the leaked data - which includes the full names, addresses, dates of birth, medical ID numbers, social security numbers and employment details of the firm's customers - wasn't even encrypted.

With 80 million victims, it's likely that any phishing campaign using credit monitoring as the hook will strike a decent enough number of valid hits to make it profitable.

I'm not getting into who's responsible, with rumours already doing the rounds that state-sponsored Chinese actors are to blame. The truth is that's pretty irrelevant, as the compromised personal information will almost certainly end up on the dark market at some point.

It could be auctioned off to the highest bidder as a single database sale or access to that database could be sold in chunks or rented out. Either way, the end result for the victims is the same: potential fraud on a huge scale. The stolen data is, unlike a credit card, rather difficult to change and could be used for all sorts of scams for many years to come.

The clever criminals will sit on it and wait for media awareness of the breach to die down before striking. Some may strike immediately, but not with the compromised data. Instead, they are taking the scattergun approach and launching large-scale phishing campaigns because Anthem stated it would offer free credit monitoring to affected customers.

With 80 million of these, it's likely that any such campaign using that as the hook will strike a decent enough number of valid hits to make it profitable.

I have to call out Anthem and its stupidity, as far as its IT security smarts are concerned. I've lost count of the number of times I stated that it's not a matter of if but when a breach will occur within your enterprise, and yes that really is the baseline your security posture should be built on.

Only when you've understood this can you create a posture that actually protects your data, protects your customers and protects your reputation.

Anthem obviously didn't get it, because if it had the stolen data would have been encrypted at rest and neutralised, reducing its value to hackers.

How hard can it be to implement a data-centric security strategy in today's threat landscape? How many headlines do you need to read to realise that ensuring a breach yields diddly squat to the attacker is the way forward? How loudly does the IT security community have to shout that DATA IS VALUABLE: PROPERLY ENCRYPTYED DATA IS WORTHLESS?

Sure, get breached and you still have to deal with the fallout of a security failing. You still have to figure out what went wrong, show that you've learned the lessons and fixed the hole in your defences, and communicate all this to your customers and the relevant authorities. The big difference between talking about encrypted data and clear text information is the nature that communication takes and how successful it will be.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021
Mimecast admits hackers accessed users’ Microsoft accounts
Security

Mimecast admits hackers accessed users’ Microsoft accounts

13 Jan 2021
What is public key infrastructure (PKI)?
Security

What is public key infrastructure (PKI)?

12 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021