Anthem data breach: Why the data-centric security message needs resuscitating
Davey Winder picks over last week's high-profile Anthem data breach to see what lessons can be learnt from it
The second largest health insurer in the United States, Anthem, has fallen victim to a massive data breach, details of which emerged last week.
It is thought that as many as 80 million user records were accessed during the security breach, and the source is said to be an 'acquired' employee password, if the security grapevine is to be believed. If that weren't bad enough, the leaked data - which includes the full names, addresses, dates of birth, medical ID numbers, social security numbers and employment details of the firm's customers - wasn't even encrypted.
With 80 million victims, it's likely that any phishing campaign using credit monitoring as the hook will strike a decent enough number of valid hits to make it profitable.
I'm not getting into who's responsible, with rumours already doing the rounds that state-sponsored Chinese actors are to blame. The truth is that's pretty irrelevant, as the compromised personal information will almost certainly end up on the dark market at some point.
It could be auctioned off to the highest bidder as a single database sale or access to that database could be sold in chunks or rented out. Either way, the end result for the victims is the same: potential fraud on a huge scale. The stolen data is, unlike a credit card, rather difficult to change and could be used for all sorts of scams for many years to come.
The clever criminals will sit on it and wait for media awareness of the breach to die down before striking. Some may strike immediately, but not with the compromised data. Instead, they are taking the scattergun approach and launching large-scale phishing campaigns because Anthem stated it would offer free credit monitoring to affected customers.
With 80 million of these, it's likely that any such campaign using that as the hook will strike a decent enough number of valid hits to make it profitable.
I have to call out Anthem and its stupidity, as far as its IT security smarts are concerned. I've lost count of the number of times I stated that it's not a matter of if but when a breach will occur within your enterprise, and yes that really is the baseline your security posture should be built on.
Only when you've understood this can you create a posture that actually protects your data, protects your customers and protects your reputation.
Anthem obviously didn't get it, because if it had the stolen data would have been encrypted at rest and neutralised, reducing its value to hackers.
How hard can it be to implement a data-centric security strategy in today's threat landscape? How many headlines do you need to read to realise that ensuring a breach yields diddly squat to the attacker is the way forward? How loudly does the IT security community have to shout that DATA IS VALUABLE: PROPERLY ENCRYPTYED DATA IS WORTHLESS?
Sure, get breached and you still have to deal with the fallout of a security failing. You still have to figure out what went wrong, show that you've learned the lessons and fixed the hole in your defences, and communicate all this to your customers and the relevant authorities. The big difference between talking about encrypted data and clear text information is the nature that communication takes and how successful it will be.