In-depth

Anthem data breach: Why the data-centric security message needs resuscitating

Davey Winder picks over last week's high-profile Anthem data breach to see what lessons can be learnt from it

Data breach

The second largest health insurer in the United States, Anthem, has fallen victim to a massive data breach, details of which emerged last week.

It is thought that as many as 80 million user records were accessed during the security breach, and the source is said to be an 'acquired' employee password, if the security grapevine is to be believed. If that weren't bad enough, the leaked data - which includes the full names, addresses, dates of birth, medical ID numbers, social security numbers and employment details of the firm's customers - wasn't even encrypted.

With 80 million victims, it's likely that any phishing campaign using credit monitoring as the hook will strike a decent enough number of valid hits to make it profitable.

I'm not getting into who's responsible, with rumours already doing the rounds that state-sponsored Chinese actors are to blame. The truth is that's pretty irrelevant, as the compromised personal information will almost certainly end up on the dark market at some point.

It could be auctioned off to the highest bidder as a single database sale or access to that database could be sold in chunks or rented out. Either way, the end result for the victims is the same: potential fraud on a huge scale. The stolen data is, unlike a credit card, rather difficult to change and could be used for all sorts of scams for many years to come.

The clever criminals will sit on it and wait for media awareness of the breach to die down before striking. Some may strike immediately, but not with the compromised data. Instead, they are taking the scattergun approach and launching large-scale phishing campaigns because Anthem stated it would offer free credit monitoring to affected customers.

With 80 million of these, it's likely that any such campaign using that as the hook will strike a decent enough number of valid hits to make it profitable.

I have to call out Anthem and its stupidity, as far as its IT security smarts are concerned. I've lost count of the number of times I stated that it's not a matter of if but when a breach will occur within your enterprise, and yes that really is the baseline your security posture should be built on.

Only when you've understood this can you create a posture that actually protects your data, protects your customers and protects your reputation.

Anthem obviously didn't get it, because if it had the stolen data would have been encrypted at rest and neutralised, reducing its value to hackers.

How hard can it be to implement a data-centric security strategy in today's threat landscape? How many headlines do you need to read to realise that ensuring a breach yields diddly squat to the attacker is the way forward? How loudly does the IT security community have to shout that DATA IS VALUABLE: PROPERLY ENCRYPTYED DATA IS WORTHLESS?

Sure, get breached and you still have to deal with the fallout of a security failing. You still have to figure out what went wrong, show that you've learned the lessons and fixed the hole in your defences, and communicate all this to your customers and the relevant authorities. The big difference between talking about encrypted data and clear text information is the nature that communication takes and how successful it will be.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021