Anthem failed to encrypt data prior to cyber-attack

Uploaded on 2015-02-09 in BUSINESS-Services-Health & Welfare, BUSINESS-Services-Financial, FREE TO VIEW, NEWS-Cybersecurity News

Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information.

Anthem is the nation’s second-largest health insurer, operating Blue Cross and Blue Shield plans in 14 states. And it was revealed this week that the hackers have stolen millions of records on customers and employees at Anthem. The hackers obtained the names, birthdays, addresses, and social security numbers, though there is no sign that they accessed any medical records.

An Anthem spokeswoman said that the company, like other health insurers, only encrypts customer data when it's transferred in or out of its database, but uses "other measures, including elevated user credentials, to limit access to the data when it is residing in a database." She adds that the government and employers require insurers to use social security numbers as unique identifiers for their customers.

Federal law says health insurers must "address" data encryption in their security protocol, but it's not mandated. For some companies, it comes down to a choice between added security and extra cost, though it's not clear whether encryption alone could have thwarted the attack on Anthem, since it was carried out with stolen employee credentials. The issue isn't exclusive to the healthcare industry, either; Sony Pictures didn't encrypt its data prior to a major cyber attack late last year.
The cyber attack on Anthem Inc. underscores the need for companies to review incident response plans and other measures to ensure they’re ready for the worst, says Patrick Nielsen, a senior security researcher with Kaspersky Lab. “Companies will learn the hard way to take security seriously or do it proactively,” he said.

For highly regulated industries, compliance alone may not be enough. Regulations are “very helpful,” Mr. Nielsen said, “but in a certain way they give a sort of false sense of security.” Instead of checking the compliance box and calling it a day, CIOs can use the Anthem breach as yet another opportunity to increase focus on security at every level of their organizations. To address this, guidance will likely need to come from the CEO, board of directors and others at the top of the corporate totem pole. “It’s definitely one area where there’s a lot to be gained by saying ‘what are all the things we can do to strengthen security here,’ even if they don’t all apply to relevant legislation.”

Think about data retention Nielsen noted that Anthem’s hacked databases included information about some former customers, and wondered why that data was still around. “Once they’re former members, it’s probably not necessary to keep that information around,” he said.

Forbes:   The Verge:  WSJ

 

 

« Did the White House Use Drone Killing Technology?
UK Police: 'Innocent people' on unregulated photo database »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

TitanFile

TitanFile

TitanFile is an award-winning, easy and secure way for professionals to communicate without having to worry about security and privacy.

Ripjar

Ripjar

Ripjar is a global company of talented technologists, data scientists and analysts designing products that will change the way criminal activities are detected and prevented.

Titania

Titania

Titania provide network security and compliance software. Find your Network Security gaps before hackers do with our security & compliance tools.

Bolton Labs

Bolton Labs

Bolton Labs is a leading provider cybersecurity services, tools, and analysis for MSPs and organizations who want to scale their security offerings.

Malomatia

Malomatia

Malomatia is a leading provider of technology services and solutions in Qatar including information security.

Seqrite

Seqrite

Seqrite offers a highly advanced range of enterprise and IT security solutions to protect your organization's most critical data.

CARICERT

CARICERT

CARICERT is the National Cyber Emergency Response Team of Curacao in the Caribbean.

ShieldIOT

ShieldIOT

ShieldIOT delivers a complete AI-powered security solution across any IoT device, application and network.

Lineal Services

Lineal Services

Lineal supports clients in meeting their digital forensics, cyber security and eDiscovery needs by providing bespoke solutions to complex problems.

RiskRecon

RiskRecon

RiskRecon makes it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all of your third parties.

GuardSight

GuardSight

GuardSight is a provider of specialized cybersecurity services to safeguard businesses, government, and remote workers against sophisticated cyber threats.

Future Technology Systems Company (FutureTEC)

Future Technology Systems Company (FutureTEC)

FutureTEC is a leading Information Technology Solutions Provider, delivering world-class Information Security, Information Management, and Business Solutions.

Cyolo

Cyolo

Cyolo’s Secure Access Service Edge (SASE) platform securely connects onsite and remote users to authorized assets, in the organizational network, cloud or IoT environments and even offline networks.

CICRA Consultancies

CICRA Consultancies

Cicra Consultancies is a company that specializes in cyber security. Our major activities are guided by three main principles: Prevent, Investigate, Prosecute.

SnapAttack

SnapAttack

SnapAttack is a collaborative platform that empowers your security team to stay ahead of threats, create robust behavioral analytics for your existing tools, and prove your program's effectiveness.

DarkFeed

DarkFeed

DarkFeed is a Threat Intelligence provider that monitors the darknet in real-time, where hackers and Cyber criminals are most active.