There's a special folder in my email inbox where I keep communications from companies where data breaches have allowed my personal information to be stolen--or maybe it's a special circle of hell.
Its volume grows almost month by month. It holds warnings from Target,
Anthem's communication is a pretty standard version of the genre. It's a "don't-blame-us" message masquerading as a mea culpa, along with an offer of free identity theft services that aren't as useful as recipients are led to believe. So here's a brief annotation to explain what Anthem is really saying.
Anthem: "On January 29, 2015, Anthem, Inc. (Anthem) discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem's IT system and obtained personal information..."
The key word here is "sophisticated." The message is that the hackers were so skilled that Anthem couldn't possibly defend against them--no one could. This is a conventional defense by cyber-attack victims, including such high-profile companies as Sony. Writes Peter Zavlaris of the security firm RiskIQ, "deeming an incident a 'sophisticated attack' without providing further explanation is becoming a post-breach norm."
Often it turns out that the breach isn't so sophisticated, but that hackers exploited known vulnerabilities in the target's system. That appears to be the case with Anthem. The huge healthcare firm didn't encrypt the huge volume of personal information it held, for example. While there's a debate over whether encryption would have stopped the breach, some experts say its absence points to a general laxity at Anthem about cyber-security.
Anthem: "Anthem believes that this suspicious activity may have occurred over the course of several weeks beginning in early December, 2014."
Some reports say the attack began much earlier, but the first attempts were detected and deflected. Whether Anthem stepped up its monitoring of attempted incursions isn't clear, but it did take six weeks or more for the firm to discover that its security had been breached.
The hackers seem to have been persistent. The indications are that they gained access to Anthem's data by stealing the network credentials of at least five employees with high-level IT access. The means may have been "phishing"--using a fraudulent email to trick any of those employees into revealing his or her network ID and password, or into unwittingly downloading software code that gives the hackers long-term access.
That's not a sophisticated technique, but it works. It means exploiting the human element, writes Steve Ragan at CSO Online, a cyber-security information site. "Technical controls will only go so far," he reports. "Once the humans are exploited, those controls are next to useless....Technology didn't detect the Anthem breach, a human who was paying attention did. Self-awareness among the staff is a serious bonus to any information security program."
This points again to a flaw in the security culture at Anthem--the notion that network credentials must be protected at all costs apparently wasn't sufficiently drilled into employees with high-level access. Too many of them may have had too much access to too much of the system.
Anthem: "Anthem is providing identity protection services to all individuals that are impacted....Anthem has arranged to have AllClear ID protect your identity for two (2) years at no cost to you."
Get in line, Anthem. I've already got access to "identity protection services" provided at no cost to me by several companies that allowed my personal data to be breached.
Offering monitoring services to customers for some period after a breach is now part of the all-purpose corporate apology for its own laxness. "These are basically PR vehicles for most of the breached companies," security analyst Avivah Litan of Gartner Inc. told Brian Krebs, a journalist specializing in cyber-security. "Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data."
Litan's advice to consumers is: sure, accept the offer, "but don't expect it to help much – by the time you get the alert, it's too late, the damage has been done. It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster."
As Litan and Krebs observe, by federal law consumers already have free annual access to their credit reports via the federally authorized website www.annualcreditreport.com. (Note: DON'T fall for other websites offering access to the federally mandated free reports--they're mostly trying to snare you into buying their own services.) Since there are three large credit reporting agencies subject to the mandate, experts advise checking your credit report at one of them once every four months, thereby spreading your monitoring through the year.
Anthem also advises consumers that they can place fraud alerts with any of the credit reporting agencies. The alerts require potential creditors to obtain your permission before opening a new account in your name. As Krebs points out, the alerts are free, and can be renewed every 90 days.
As for AllClear ID, the firm hired by Anthem, it gets generally good marks from other security experts. Krebs' personal experience with the firm is encouraging. When a burst of fraudulent credit applications were made in his name with Capital One, AllClear ID helped him deal with the uncooperative Capital One and with Trans Union, one of the big three credit reporting agencies, which was even worse.
AllClear was "tremendously professional," Krebs says, but he warns that its service has limitations, as do all such services. "The company could do nothing to stop creditors from pulling my file, or fraudsters from making new applications in my name," he writes.
Finally, Anthem: "There are steps you may take to guard yourself against identity theft or fraud. We urge likely impacted members to stay alert for incidents of fraud and identity theft. This includes reviewing your account statements and checking free credit reports. Also, you can report suspected incidents of identity theft to local law enforcement, the Federal Trade Commission (FTC) or your state attorney general."
Translation: We may have allowed the data breach to occur, but you're "it." Thanks to our sloppiness, you're going to have to keep an eye on your own credit rating.
Perhaps the crisis will pass during the two years in which AllClear ID will be monitoring your credit at Anthem's expense, but don't relax: By then some other company that holds your personal data in its computer network will have given it up to a gang of "sophisticated" hackers, and you'll be offered another year or two of free oversight.