Anthem failed to encrypt data prior to cyber-attack

Uploaded on 2015-02-09 in BUSINESS-Services-Health & Welfare, BUSINESS-Services-Financial, FREE TO VIEW, NEWS-Cybersecurity News

Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information.

Anthem is the nation’s second-largest health insurer, operating Blue Cross and Blue Shield plans in 14 states. And it was revealed this week that the hackers have stolen millions of records on customers and employees at Anthem. The hackers obtained the names, birthdays, addresses, and social security numbers, though there is no sign that they accessed any medical records.

An Anthem spokeswoman said that the company, like other health insurers, only encrypts customer data when it's transferred in or out of its database, but uses "other measures, including elevated user credentials, to limit access to the data when it is residing in a database." She adds that the government and employers require insurers to use social security numbers as unique identifiers for their customers.

Federal law says health insurers must "address" data encryption in their security protocol, but it's not mandated. For some companies, it comes down to a choice between added security and extra cost, though it's not clear whether encryption alone could have thwarted the attack on Anthem, since it was carried out with stolen employee credentials. The issue isn't exclusive to the healthcare industry, either; Sony Pictures didn't encrypt its data prior to a major cyber attack late last year.
The cyber attack on Anthem Inc. underscores the need for companies to review incident response plans and other measures to ensure they’re ready for the worst, says Patrick Nielsen, a senior security researcher with Kaspersky Lab. “Companies will learn the hard way to take security seriously or do it proactively,” he said.

For highly regulated industries, compliance alone may not be enough. Regulations are “very helpful,” Mr. Nielsen said, “but in a certain way they give a sort of false sense of security.” Instead of checking the compliance box and calling it a day, CIOs can use the Anthem breach as yet another opportunity to increase focus on security at every level of their organizations. To address this, guidance will likely need to come from the CEO, board of directors and others at the top of the corporate totem pole. “It’s definitely one area where there’s a lot to be gained by saying ‘what are all the things we can do to strengthen security here,’ even if they don’t all apply to relevant legislation.”

Think about data retention Nielsen noted that Anthem’s hacked databases included information about some former customers, and wondered why that data was still around. “Once they’re former members, it’s probably not necessary to keep that information around,” he said.

Forbes:   The Verge:  WSJ

 

 

« Did the White House Use Drone Killing Technology?
UK Police: 'Innocent people' on unregulated photo database »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Snort

Snort

Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

Hack in the Box Security Conference (HitBSecConf)

Hack in the Box Security Conference (HitBSecConf)

HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events feature two days of training and a two-day multi-track conference

SANS CyberStart

SANS CyberStart

SANS CyberStart is a unique and innovative suite of tools and games designed to introduce children and young adults to the field of cyber security.

Windscribe

Windscribe

Windscribe is a Virtual Private Network services provider offering secure encrypted access to the internet.

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC) is a government body providing support for ICT related activities including formulating national ICT strategy and policy.

Pluribus One

Pluribus One

Pluribus One develops customized solutions and other data-driven applications to secure your business and your devices.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

Infosequre

Infosequre

Infosequre builds up your security awareness culture and turns your employees into the first line of defense against cyber risks.

TekSynap

TekSynap

TekSynap is a full spectrum Information Technology services provider to federal government agencies.

Outsource Group

Outsource Group

Outsource Group is an award winning Cyber Security and IT Managed Services group working with a range of SME/Enterprise customers across the UK, Ireland and internationally.

QA Consultants

QA Consultants

QA Consultants is North America’s largest software quality engineering services firm, an award-winning onshore provider of software testing and quality assurance solutions.

Qevlar AI

Qevlar AI

Qevlar AI empowers SOC teams, to eliminate redundant tasks and refocus on what truly matters - making the most of every employee within the SecOps team.

US Insider Risk Management Center of Excellence (US-InRM)

US Insider Risk Management Center of Excellence (US-InRM)

The US-InRM Center of Excellence is a nonprofit organization dedicated to promoting private, public, and academic partnerships to foster knowledge sharing and resources to mitigate insider risk.

Cyber Advisors

Cyber Advisors

Cyber Advisors offers customizable cyber security solutions and IT services for businesses of all sizes across the nation from experts you can trust.

enQase

enQase

enQase offers security beyond PQC; the only comprehensive, scalable solution that utilizes enhanced quantum technologies to protect data against current and future quantum threats.

Sesame Technologies

Sesame Technologies

Sesame Technologies provides advanced cybersecurity services to protect businesses from digital threats.