Anthem failed to encrypt data prior to cyber-attack

Uploaded on 2015-02-09 in BUSINESS-Services-Health & Welfare, BUSINESS-Services-Financial, FREE TO VIEW, NEWS-Cybersecurity News

Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information.

Anthem is the nation’s second-largest health insurer, operating Blue Cross and Blue Shield plans in 14 states. And it was revealed this week that the hackers have stolen millions of records on customers and employees at Anthem. The hackers obtained the names, birthdays, addresses, and social security numbers, though there is no sign that they accessed any medical records.

An Anthem spokeswoman said that the company, like other health insurers, only encrypts customer data when it's transferred in or out of its database, but uses "other measures, including elevated user credentials, to limit access to the data when it is residing in a database." She adds that the government and employers require insurers to use social security numbers as unique identifiers for their customers.

Federal law says health insurers must "address" data encryption in their security protocol, but it's not mandated. For some companies, it comes down to a choice between added security and extra cost, though it's not clear whether encryption alone could have thwarted the attack on Anthem, since it was carried out with stolen employee credentials. The issue isn't exclusive to the healthcare industry, either; Sony Pictures didn't encrypt its data prior to a major cyber attack late last year.
The cyber attack on Anthem Inc. underscores the need for companies to review incident response plans and other measures to ensure they’re ready for the worst, says Patrick Nielsen, a senior security researcher with Kaspersky Lab. “Companies will learn the hard way to take security seriously or do it proactively,” he said.

For highly regulated industries, compliance alone may not be enough. Regulations are “very helpful,” Mr. Nielsen said, “but in a certain way they give a sort of false sense of security.” Instead of checking the compliance box and calling it a day, CIOs can use the Anthem breach as yet another opportunity to increase focus on security at every level of their organizations. To address this, guidance will likely need to come from the CEO, board of directors and others at the top of the corporate totem pole. “It’s definitely one area where there’s a lot to be gained by saying ‘what are all the things we can do to strengthen security here,’ even if they don’t all apply to relevant legislation.”

Think about data retention Nielsen noted that Anthem’s hacked databases included information about some former customers, and wondered why that data was still around. “Once they’re former members, it’s probably not necessary to keep that information around,” he said.

Forbes:   The Verge:  WSJ

 

 

« Did the White House Use Drone Killing Technology?
UK Police: 'Innocent people' on unregulated photo database »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BruCON

BruCON

Brucon is Belgiums premium security and hacking conference.

CFC Underwriting

CFC Underwriting

CFC is a specialist insurance provider and a pioneer in emerging risk, including cyber insurance.

Uniken

Uniken

Uniken REL-ID is a safe, simple, and scalable security platform that tightly integrates your identity, authentication, and channel security.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

Ideagen

Ideagen

Ideagen provides information management, safety, risk and compliance software solutions that allow organisations to achieve operational excellence, regulatory compliance and reduce risk.

NetLib Security

NetLib Security

NetLib Security’s powerful, patented data security platform helps companies control data loss prevention (DLP) by managing what data can be transferred outside of their network.

e2e-assure

e2e-assure

e2e Protective Monitoring and Security Operations Centre (SOC) Service is a complete cyber defence service to protect your critical assets from cyber attacks and GDPR breaches.

Centro de Gestion de Incidentes Informaticos (CGII) - Bolivia

Centro de Gestion de Incidentes Informaticos (CGII) - Bolivia

CGII is the Computer Incident Management Center of the State of Bolivia.

Velta Technology

Velta Technology

Velta Technology provide digital safety and cybersecurity solutions for the industrial space.

Purple Knight

Purple Knight

Purple Knight is a free Active Directory security assessment tool built and managed by an elite group of Microsoft identity experts.

Apollo Information Systems

Apollo Information Systems

Apollo is a value-added reseller that provides our clients with the complete set of cybersecurity and networking services and solutions.

Swish Data Corp.

Swish Data Corp.

Swish delivers when the problems are complex, requirements are difficult, and the mission is absolutely critical.

turingpoint

turingpoint

turingpoint GmbH is a tech enabled boutique consultancy. It was founded by security experts with a focus on cyber security and software solutions.

National Renewable Energy Laboratory (NREL) - USA

National Renewable Energy Laboratory (NREL) - USA

NREL is transforming energy through research, development, commercialization, and deployment of renewable energy and energy efficiency technologies.

ZEST Security

ZEST Security

The ZEST platform natively integrates into your technology stack to make efficient risk remediation possible.

Trinsec 7

Trinsec 7

Trinsec 7 is the first security firm to integrate cybersecurity, electronic security, and identity protection into a single, intelligence-driven solution for growing businesses and modern families.