I hate the tone of that letter, has the typical PR tone all over it.
Basically to sum it up: "Your Social Security Number, Name, Birthdate, Address, and everything else needed to steal your identity is at risk. But don't worry! Your credit card number is safe."
The whois[1] records for http://anthemfacts.com was registered in December. It took them months to create that PR report and prepare for damage control. They should have notified victims much earlier.
To give 'em the benefit of the doubt-- perhaps perhaps perhaps they needed that particular domain in anticipation of some other instance where they dropped the ball but your conclusion is more compelling.
So, today it was announced that they knew something was up as early as 12/10:
"The company also confirmed Friday that it found that unauthorized data queries with similar hallmarks started as early as Dec. 10 and continued sporadically until Jan. 27.
...
The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27, Binns said."
Who cares about credit card numbers when you are protected for free and your credit card can be reissued unlike your SSN. I can't believe than in 2015 there's no modern way to verify and protect your identity! There are still so many stupid system relying on your last 4 of your SSN or DoB as authentication!
In Sweden we have a personal number. It's unique to every person but its not secret at all. You use an official identity card or passport or the electronic variant to identify yourself. I'm guessing its some kind of privacy issue behind there not being a similar system in US? Because it works pretty well.
Just rename it Patriot ID and I'm sure people will come around :/
Seriously, if California is giving driver's licenses to whoever wants them (and who's 16 and can learn to drive), I don't see the harm sending out centrally verifiable identity cards. The costs of implementing such a system have gone way down over the years, but to be sure, bid out the job and finance it with surcharges on credit report checks, and any other transaction that involves verifying identity. There are surcharges everywhere else in the transaction. What probably concerns a lot of people is that they don't want the government to know every time they get a credit check. Not sure how you solve that, other than making this a GSE or legal monopoly.
Sweden's entire population is about the size of the Chicagoland area. Now imagine 320+ million people all living in different semi-autonomous states all with their own bureaucracies and hundreds of taxing authorities. Now imagine proposing a national ID card to these people. Yeah, its not that easy. The US isn't centralized like a lot of European nations. Governance of very critical things are done on the state level and that isn't going to change anytime soon.
>I'm guessing its some kind of privacy issue behind there not being a similar system in US?
The social security system, which is a federal program, produced a unique number for all citizens. The states quickly started using this number in their own bureaucracy and everyone else followed (banks, etc). Now its a defacto numeric identifier.
The big problem here is how easy it is to get credit in my name if you have my SSN, like its the root password to my finances. Credit is far too easy to get in the states from a paperwork perspective. I should not fear other people getting my SSN. Banks and other organizations need to realize that if someone presents my SSN, that doesn't mean its me. More numbers or psuedo-SSN's aren't the fix here. The fix is due diligence and better fraud protections.
Not to mention everyone already carries a unique identifier thats easy to verify - your fingerprint. I think SSN + fingerprint plus a letter sent to my home that needs to be signed should be the minimum to open any line of credit. SSN alone should be worthless.
Its also bothersome that PCI-DSS and other regulations treat credit cards like NSA secrets, which is fine as they should be encrypted, but there's no legislation or guidelines to make SSN's encrypted. SSN's sit as plain-text in every database in the US. That's kind of scary and probably invites hacks.
Not to mention everyone already carries a unique identifier thats easy to verify - your fingerprint.
Actually a surprising number of people don't. For either medical (dermatitis), work (manual laborer wearing them out, operation room personnel scrubbing them out...) or age related reasons.
Well, the US has States and that complicates things quite a bit for this type of thing. Most states will give you a driver's license number as an id (with the appropriate "ID Only" mark).
There is also the Real ID Act[1] that trying to establish federal id requirements. This is going to cause some problems and look for it in the news. It is a DHS enforced national ID law.
And yes, some of the folks in the US believe a national ID that is needed to buy, sell, or get a job would be a little too close to the Bible's mark of the beast. That gives quite a lot of friction to any national id.
some of the folks in the US believe a national ID that is needed to buy, sell, or get a job would be a little too close to the Bible's mark of the beast.
You're exaggerating a bit into a strawman.
I strongly oppose REAL ID (which, by the way, was around for a while before the DHS existed). And as a "tooth fairy agnostic" as Dawkins would say, I'm not the least bit concerned about the number of the beast.
What I am concerned about - and this goes the same for anyone else with whom I've discussed the issue - is, why is it the federal government's business at all when and how I "buy, sell, or get a job"? This seems like a tool for the federal government to get its grubby mitts into more stuff that's not within its enumerated powers.
Perhaps I should have separated that from the DHS stuff, but it is a belief of some folks (enough who vote to have made a long difference) and it goes to why we don't currently have a national id. It is part of the history in the US and the original poster is not from the US and wanted some reasons.
DHS is the agency currently charged with Real ID Act oversight. I'm not sure the who is important before the law is implemented.
A social security number (SSN) is the same idea. The difference is that not every citizen has one.
The problem with this number is that, similar to Sweden, it can be used as an identity number and as a password. This is a terrible thing to do. In your small country of homogenous socially protected people, you may not have a widespread problem of theft. In the US, however, there is an entire industry of stealing these numbers in order to take out new lines of credit, buy items at stores, and then not pay them off.
Good job issuing the release in the middle of the night to try to avoid the PR, too. What a trainwreck. Anthem basically passed out identity theft kits, and you can even sort by income to go after the rich ones first! (Why does Anthem know your income? It doesn't seem relevant to offer you health insurance products.)
> Why does Anthem know your income? It doesn't seem relevant to offer you health insurance products.
Your income is strongly correlated with your health. The lower your income the more likely you are to suffer from conditions such as obesity and diabetes, and the higher your mortality rate will be. Health insurers can use income figures as one factor when calculating the overall risk of a policy.
Yes, but they can use that as grounds to not pay a claim if they find out.
It's not illegal, but it violates the contract you sign with them and lets them off the hook for paying for things. Mind you, they'll still keep the money you paid them.
I know my credit card company allows me to set a password to prevent unauthorized access from someone who might have stolen this kind of data. Is there a similar system in place to make it harder for an identity thief to open accounts in my name or do other things that might damage my reputation?
You can freeze your credit. I don't claim it to be a comprehensive solution to a complicated topic like identity theft, but it helps, and is fairly easy and inexpensive to do.
Lifelock doesn't catch everything though. Neil Boortz, a former syndicated radio talk show host, had someone open a bank account and take Social Security distributions for several months and Lifelock didn't catch it. http://www.wsbradio.com/weblogs/nealz-nuze/2014/sep/04/my-so...
The security products arent great, true, but the ppl working as security engineers in companies are often quite decent.
It seems to me that its the usual issue. People don't see the need for protection until they've been hit. It seems to be a cost that doesn't make sense to them. They don't even care anymore.
True that about the security engineers, but they are at the mercy of products that claim to distinguish good from bad and this has never worked, IMHO. How the hell can you write signatures against malware/documents/web-sites/files/attacks/blah when there's so much diversity and quantity of stuff to keep up with?
Disclaimer: I built the first IPS to be commercialized and yes we used signatures amongst other things.
I've actually had the exact opposite experience. Security Engineers at most companies have no idea what they're doing beyond running the scanner and parroting whatever it spits out.
"The scanner says your server is vulnerable"
"Ya, we patched that vulnerability weeks ago"
"The scanner says it's vulnerable"
"OK.... looks at scanner - oh, it's just reading the banner, and not taking into account that the major rev didn't change, it's patched"
"The scanner says it's vulnerable"
"OK... so what if I change the banner so it doesn't pick it up as vulnerable?"
"The scanner says it's secure now, thanks!!"
The guys who know their stuff in security generally have a desire to actually get paid well, and have time to do legitimate research. They don't really have a desire to sit in a corporate job dealing with the mountains of bureaucratic bullshit that goes along with security in a corporation. Do you really want to be the guy who gets thrown under the bus because you had to disable strong passwords because the CEO was angry he needed both upper and lower case letters in his AD password?
>Do you really want to be the guy who gets thrown under the bus because you had to disable strong passwords because the CEO was angry he needed both upper and lower case letters in his AD password?
Except those strong password policies don't strengthen security at all, neither in theory nor practice. Congratulations, the CEO's password is now "qweRTY" and it's written on a yellow sticky-note on his monitor.
A post-it note on his monitor of a secure password (they generally require a number or special character, as well as being 8 characters long), is actually better security than an extremely simple password. I can have him lock his office door... I can't prevent someone from brute forcing the password he's re-used on every site on the internet.
I literally tell my parents to have a secure password they write on a post-it note. The odds of someone breaking into their house for their password is about 1/10000th the odds of someone cracking their simple password on a website and getting the keys to the kingdom.
That's very vicious PR to me. By acknowledging some guys thre were hacked too, they implicitely say that : "we're in the same boat, anthema and their customers, we'll fight together". Which, at least for me, is completely wrong. They fucekd up and they put the customers in the siht.
"A very sophisticated external cyber attack" which is a "security vulnerability"... The more "sophisticated" they claim this "cyber attack" is, the more I think it's a garden-variety SQL injection fuck-up.
They've done a bad job of protecting their customer's data, and an even worse job of explaining what actually happened.
That's really my problem -- that they're leaving their victims to speculate.
It's great that they "made every effort to close the security vulnerability". How's that going?
They hired Mandiant to "evaluate our systems and identify solutions based on the evolving landscape." Is "evolving landscape" CEO-speak for "Oh, god, we're still leaking customer data like a sieve, make it stop!"?
I'm just going to keep speculating, because if Anthem's not going to bother speaking plainly, I'm just going to assume the worst.
>It's great that they "made every effort to close the security vulnerability".
I love that quote, they try to cover their asses by saying we closed the vulnerability. My question is why did you wait till it was taken advantage of?
If we combine the Check Point firewall job posted on the Anthem Inc's website on 1/30/2015, add in the "discovery" on 1/29/2015, and think about Check Point's vulnerability to Heartbleed and Shellshock last year, one might also guess that a VPN stolen-credential compromise (like the major CHS breach last year) or a generic firewall compromise (via shellshock) are in the running as possibilities.
Privacy Rights Clearinghouse has a couple of excellent fact sheets on identity theft
https://www.privacyrights.org/how-to-deal-security-breach covers situations like this where there's been a security breach - how to order and monitory credit reports, put in a security freeze (which makes it harder to open up new credit cards or credit lines in your name), etc.
It makes me wonder. For several years the US government, Medicare, and private insurers have been pushing hard for health care providers to adopt Electronic Health Record systems. Now in the current phase "interoperability" of EHR systems is the catchword.
A question to ask is how secure is a large network of EHRs going to be? I don't know of data showing the frequency or severity of EHR security breaches but it would be surprising if there were not at least some. In any case, this kind of info would probably not be made available to the public, even though it should be.
Anthem's poor job of keeping confidential info private is especially distressing given the fact that many health insurers are also health care providers (e.g., hospital systems). Computer systems are very hard to operate securely, and after what happened, it's hard to trust these corporations will take the task seriously.
I've been quietly predicting that security of health information is going to become the Next Big Privacy Issue as the Internet of Medical Records grows ever larger.
Ultimately, the web is an attack vector that no one is immune to. Did you read the Syria hack recently? Just a skype chat with an attractive opposite-gender is enough to download a piece of malware masquerading as a picture you really want to see. While the human aspect has always been a key element of getting hacked, products that claim to distinguish the good vs. bad are failing big time. And this has been the pillar of enterprise security (classifying good against bad) for the last 20 years and is starting to show its age.
"A question to ask is how secure is a large network of EHRs going to be?"
LOL, everyone 'on the inside' (by that I mean: at least anyone who works on computers, software or networks professionally) knows the answer to that question: it's going to be a train wreck. There is not a single person on this planet who really understands just 1% of the software, hardware and network infrastructure they/we work on every day; let alone how all of these interact. Computers, in 2015, are so complex, and our 'engineering' is so shoddy, that there is no way to safeguard networked data for anyone but the most determined and resourceful parties (by which I mean organizations of which there are but a handful in the whole world, and even those can't seem to keep secrets really secret.) Either way, there is no way at all that a non-IT focused organization like a healthcare insurer or provider will be able to keep data secure, and it's only a matter of time before incidents like this will become commonplace.
Consider: I have an in-law who is a partner in a largish practice in my area. We talked a bit about the business aspects of the practice when she became a partner because she had to put up with all the management crap all of a sudden and it was nice for her to vent to people who had similar issues. Anyway, point being I know a bit about the finance and management of a rather typical organization like that. These people will in the next 5 years somehow get access to our, by then, country-wide EHR system. They work on computers they buy from the local computer shop because the prices 'seem reasonable' and Jimmy who works there dates the secretary or whatever; so Jimmy (whose training was in swapping out hard disks and reinstalling Windows) is the one who 'maintains' their systems, too. Their cash flow is so precarious that some months they can't pay full wages to the partners. How will an organization like that ever be able to secure their network? Their 'security' consists of the cable guy setting a non-default WPA key on their wireless router.
And of course, they're required by the organization that maintains the EHR system to have 'regular auditing of their systems' to ensure security. Which consists of a couple of big 4 consultants who interview the management, tick some boxes on their checklist and make a 50-page CYA report out of that, without ever having touched a server or network.
I got out of the security game 10 years ago, and it was already scary back then. Maybe somebody who still works there will feel otherwise, but computer security (on the blue team) is like FEMA sending two guys with a shovel and a Walmart plastic bucket to a dike breach. (whereas on the red team it's shooting fish in a barrel, of course.) We are truly fucked, because too few people understand the magnitude of the problem and as long as there are no problems and you don't look too closely at the robustness of things, using computers is much cheaper than the alternatives.
No, you're about right. On the bigger corporate side, security is at least the big buzzword. The VP- and C-level positions want to be sure that action is being taken to improve security, but day to day requests to poke holes in the walls come in. That is not to even mention the huge, ancient systems that are in the middle of multi-year replacement processes that began before security was so important. That means at best the replacement will have the security best practices of the last few years stapled on awkwardly, but more likely nothing will change given the millions poured in already.
This is why, increasingly, my view is that people should be in charge of their own data, and only what is specifically required to complete a transaction should be disclosed.
How to implement that technically becomes an interesting question, but between pocket spies with storage measured in tens of GB to TB, and various forms of key authentication, it seems that there are several possible options.
The whole discussion above regarding the false crime of "identity theft" (it's impersonation fraud facilitated by the data holder's negligence) is another point of increasing frustration for me.
I've been having a few related discussions with David Brin (a data cornucopian) on Google+. Brin, hardly to my surprise, responds with extreme derision.
> Anthem learned of the hacking last week and called in Mandiant over the weekend. The company was not obligated to report the breach for at least several more weeks but chose to do so now to show that it was treating the matter seriously.
Could this be any more patronizing and offensive? Look, if you are Anthem member, or if you were an Anthem member, you've been doxxed... and quite comprehensively:
have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data
And you were doxxed nearly two months ago. Or maybe not, because Anthem goes out of its way to NOT tell you when this occurred. If you were affected here's how they will notify you:
We continue working to identify the members who are impacted. We will begin to mail letters to impacted members in the coming weeks.
So sometime within the next month you will get a snail mail telling you that you were doxxed... and that letter will probably be extremely vague about the details, but will be quite heavy on the PR and perhaps even have a nice picture of Grandpa CEO at the top.
Anthem is not taking this seriously. No matter what they are trying to communicate with their PR gloss, they seem to care about covering their asses first and really don't seem to give a hoot about all your personal data that is out there in the wild.
In modern usage of the term they don't. The term originated in underground circles where anonymity by all participants was assumed, and where there were probably legal or criminal revenge consequences for tying a pseudonym to a real identity.
Kind of like how troll now means 'person who is an asshole on the internet' instead of 'post designed to rile up and elicit frivolous responses'. The meaning has changed over time for better or worse.
What are you talking about? I never said this was "doxing"; I know there was no reveal. I was referring to the definition of "doxing" which I felt didn't fit.
Did you read the comments completely? If Randi, Anita, and Brianna weren't anonymous but they were "doxed" it seems to me that "doxing" doesn't have to refer to revealing info of an anonymous person.
The domain could have been created as part of a crisis preparedness plan. I know a lot of boards were scrambling to beef up their incident response plans after the Target and Home Depot incidents.
This is really frightening. Honestly, what are these people supposed to do now? I'm not even really sure how to vet insurance companies' data privacy, since most get their insurance through their employer.
You seem to be implying that the domain was registered in response to the breach.
Could it be that the anthemfacts.com domain was intended for a different use, or to prevent someone else from registering it, and was re-purposed after the intrusion to present Anthem's case? I don't know much about SEO, but quarantining negative information on a separate, immediately available domain might be the motivation here.
A domain name that is being used exclusively to address to data breach, and was registered within the past 2 months. And it's just a coincidence?
Seems very unlikely.
And I'm sure they're quarantining negative info on an unrelated domain, but why would they even need to consider repurposing an existing domain name, instead of buying one? We're not talking about somebody doing a side project and hoping to save a few bucks by repurposing another domain name. And it takes all of a few hours to buy a domain name and have it propogate.
What's unlikely about it? Maybe if the domain name was "anthemdatabreachinfo.com" or something more specific, but "anthemfacts.com"? Many companies register lots of variation of domain names that they aren't using. I don't think it's unlikely at all that this came up, and there was a meeting where they said "OK, do we have any existing domain names we can use for this?"
So what have they been using the domain for in the few weeks since registration? The domain doesn't appear in web.archive.org until today, and searching Google for the domain between December and the end of January shows nothing.
The website itself says "we have created a dedicated website ... anthemfacts.com" for this incident.
[Edit: replaced two egregious uses of "website" with "domain"]
"A domain name that is being used exclusively to address to data breach..."
My point is that while it is used for that purpose now, that doesn't mean that it was registered for that purpose back in mid-December. Your theory about the breach occurring earlier and being concealed until now is certainly possible, but the domain registration date on its own is not supporting evidence.
Perhaps? In August 2014, they registered stanfordanthemfacts.com on which they've posted the November 11. 2014 announcement that they have continued their contract with Stanford Health Care: http://stanfordanthemfacts.com/
Maybe after the Stanford (and other such announcements), they had decided in mid-December to snag anthemfacts.com and then, after learning of the breach, decided to put it into action for this monumental event. However, what are the chances that it took one week for a health insurer, upon discovering the breach, to launch its PR campaign, nevermind fully understand the nature of the breach to be able to publicly announce it. Given the delicate nature of the situation, as well as its historic size, this is not something that a health insurer would want to prematurely make an announcement on without being very sure that the damage is contained. And they contained it within a week? I realize that I'm slightly begging the question here, but yes, part of my skepticism comes from how quickly they were able to move...One week would make it one of the fastest discoveries-to-announcements, which given the scope of the breach, is pretty amazing.
Edit: It's worth pointing out though that there would be records of them contacting the FBI and Mandiant, and I would give them the benefit of the doubt that they would make such contacts upon discovery of the breach...so if the FBI confirms that the contact happened a week ago, I would take Anthem at their word.
If they misled the New York Times, then they've also misled the Wall Street Journal[1]:
> "Anthem’s Mr. Miller said the first sign of the attack came in the middle of last week, when a systems administrator noticed that a database query was being run using his identifier code although he hadn’t initiated it."
AnthemFacts was registered 54 days ago, which would be within the legal timeframe for disclosure that the Wall Street Journal notes in their article:
> "Federal law requires health-care companies to inform consumers and regulators when they suffer a data breach involving personally identifiable information, but they have as many as 60 days after the discovery of an attack to report it."
Lastly, some more "specifics" that NY Times didn't mention:
> "Investigators tracked the hacked data to an outside Web-storage service and were able to freeze it there, but it isn't yet clear if the hackers were able to earlier remove it to another location, Mr. Miller said. The Web storage service used by the hackers, which Mr. Miller declined to name, was one that is commonly used by U.S. companies, which may have made the initial data theft harder to detect."
Domain registration doesn't necessarily mean anything; my employer owns similar domains, just in case we need them. This is standard crisis plan stuff these days.
So, today it was announced that they knew something was up as early as 12/10:
"The company also confirmed Friday that it found that unauthorized data queries with similar hallmarks started as early as Dec. 10 and continued sporadically until Jan. 27.
...
The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27, Binns said."
It would be responsible of them to alert their current students and alumni of the breach, because as of now, I don't think they have. At UCB, there is a medical facility on campus and when you have ship insurance it almost feels as if your provider is the school itself. Dues are paid as part of tuition and most services can be rendered on campus, as well as, most questions about your insurance answered at their front desk. Easy to forget that you're actually a client of Anthem.
Greeeeeeeeat. Anthem just became my health care provider. This fills me with confidence.
I'm especially unimpressed by Anthem's failure to hire a good copy editor for such a vital message, as evidenced by the painfully obvious error at the end of the penultimate paragraph: "share that information you" should read "share that information with you".
Turned 26 in January. Purchased Anthem medical insurance so I don't get penalized by Obamacare. Surprised how expensive it is, but bit my tongue and continue. Anthem gets hacked. My Name + SSN is probably somewhere it shouldn't be; ugh.
You are required to give your SSN if accepting the Obamacare subsidy, look for it in the "fine print," which doesn't come close to meeting the intent of the Federal Privacy Act of 1974 (Public Law 93-579). Unfortunately, the Obamacare subsidy is a form of government assistance. The healthcare.gov operation is a joint venture between the government and non-government entities. If you are personally paying for your coverage, you "voluntarily" gave it to them when you filled out their application. I personally haven't been known to any insurance company, especially health and life, by my SSN since 1979! Remember, they can't lose (or be hacked out of) misplace, abuse or misuse what they don't have. All government agencies (but not anyone else) are required to follow the Federal Privacy Act of 1974 and it's requirements prior to you disclosing your SSN to them. Unless someone is paying you a salary, wages or interest don't give up your SSN! Don't ever give up your SSN and accept a lifetime of liability and potential ID theft for some else's 3 seconds of convenience. You are not numbered like a head of livestock. Stand your ground and take your business elsewhere when dealing with a non-government entity who insists on having your SSN! Information travels in one direction and you're not going to get it back.
Makes you wonder doesn't it, the dollars that got spent to have something blatant happen. Its not an industry I'd like to be in, with everything so compromised.
It's important to remember that many of the security folks at these companies are actually pretty good. This is more of a C-Suite problem than a security team problem - security people can't get much done if senior management doesn't prioritize a good information security program.
So, to stress out that they are not morons, they call this "sophisticated". You can safeguard your personal info as much as you want, but these big data warehouse will always leak it!
Why were they storing sensitive data of former customers?
It seems like a risk with no benefit, with the only justification being "all data could be valuable eventually so let's never delete even the personal sensitive data." Ironically, the data did eventually become valuable - to someone else.
It used to be common for insurance companies to look carefully at your coverage record, and if you had any time during which you were not covered, they'd say stuff like "Oh, that horrible cancer you have? Yeah, we're not paying for it because it was a 'pre-existing condition' that you got during that weekend you had between two jobs six years ago." And the law let them do that.
Health care in the US is . . . the phrase "utterly broken" isn't strong enough. We need a good fifteen syllable German word for how fantastically fucked up it is.
Of course I'm trying to explain Anthem hanging onto data. Probably it was totally selfish ("we can send them spam") or sheer laziness.
Don't forget having to deal with billing nightmares even after you're no longer using an insurance company. You still could end up fighting with them over their failure to pay for something.
> they'd say stuff like "Oh, that horrible cancer you have?
> Yeah, we're not paying for it because it was a 'pre-
> existing condition' that you got during that weekend you
> had between two jobs six years ago."
Can you give a link to an article about this? I didn't know "pre-existing condition" worked like that.
The example is a little bit exaggerated, but basically if you have a major medical problem with huge bills, the insurance companies will look for a ways to get out of paying. It may not be right or even legal, but the process of disputing claims is a confusing hassle. I can tell you from personal experience that it takes a lot of determination to dispute with an insurance company and I can imagine a lot of people just give up.
Between jobs I had my wife's insurance cover me for a weekend. The HR types I talked to made very sure that I had documentation of unbroken coverage, saying that it was pretty common for insurance companies to argue pre-existing conditions for even a day of not being under some insurance umbrella.
I believe this is no longer allowed under relatively recent law.
IIUC, not since Obamacare went into full effect in 2014. One of the main provisions of it was that it became illegal to deny coverage based on pre-existing conditions.
They still need the records because one of the other effects of Obamacare is that it became illegal to not have health insurance, but it's broken in a different way now.
The question is not whether it will be efficient but whether it will happen.
It will mean licenses and certifications to have the right to store personal data, regulations to comply with in term of system architecture with audits and penalties for breaches. More bureaucracy and processes. You won't create a website over a week end.
Currently any idiot can create a database and store sensitive information without even knowing what a SQL injection or a rainbow table is.
Most professions are regulated: architects, doctors, pilots, farmers, bankers, even restaurants! And each time regulations come as a result of fk ups: banks or homes collapsing, conmen selling snake oil, food poisoning, etc. IT is the only sector where mild amateurism is not only acceptable but rather the norm more than the exception.
Having spent almost 4 years in healthcare IT. Very few healthcare organizations take security seriously. There is very much a security by anonymity ideal. I worked for a small medical company that had access to 20,000 PHI records, and I was explicitedly told, "why would anyone want to hack us, we are small potatoes." I left that company shortly there after.
Yet companies I work with now big and small look at security as just a bunch of checkboxes on a government audit form. As long as upper management continue to see security as a cost loss center, and continue to only do the minimum nessissary to pass said audits. These breaches will continue to happen.
>I worked for a small medical company that had access to 20,000 PHI records, and I was explicitedly told, "why would anyone want to hack us, we are small potatoes."
I don't think we proactively pentest our stuff either. I've never heard of any security discussions but that may just mean I'm not being included. We have a few more zeroes after our PHI record count too.
I can't even imagine a healthcare company acceding to a proactive pentest. Even if it was compared to a vaccination or a routine health check, they still wouldn't do it. The gaping holes in security that would be uncovered. Unreal. No way in hipaa hell. lolwut, find problems that exist in our current system? Our system is fine. It's not broken, so don't break it.
Exactly my experience. We had all the production passwords for servers and databases in a text file in the repository because the chief architect didn't like to remember passwords. When I pointed this out as a HIPAA violation the CTO told me they passed their audits so it didn't matter.
To be fair, if your systems relied on your chief architect not being hit by a bus, that would probably be worse than having the passwords stored someplace.
What provision of HIPAA does this actually violate?
Its clearly a bad practice (and obviously increase the risk of a breach, which, if it occurs, becomes an issue under HIPAA and related laws), but AFAIK neither HIPAA and subsequent modifying statutes nor the regulations adopted thereunder actually mandate particular password handling practices. Or is there something addressing that in the "guidance" issued under the HITECH act (I remember that establishing, by reference, some standards for encryption, and it wouldn't have been out of place for it to establish password-handling practices)?
Covered entities must "[protect] against any reasonably anticipated threats or hazards to the security or integrity of such [electronic protected health information the covered entity creates, receives, maintains, or transmits]" (45 C.F.R. § 164.306(a), http://www.law.cornell.edu/cfr/text/45/164.306). Storing passwords in the clear "obviously increase [sic] the risk of a breach", hence this is a reasonably anticipated threat.
HIPAA and similar laws don't codify whatever we think is good computing practice today. Down that path lies madness. Congress would have to re-write the law any time GCPs change, or else the law would become a hindrance to the very goals its trying to achieve (in this case, healthcare-related information security). Instead, the law is written more generally, with "reasonable" being the keyword that lets the legal system refer to current practice.
> Covered entities must "[protect] against any reasonably anticipated threats or hazards to the security or integrity of such [electronic protected health information the covered entity creates, receives, maintains, or transmits]" (45 C.F.R. § 164.306(a), http://www.law.cornell.edu/cfr/text/45/164.306).
But they also have freedom to select the particular security measures to use, considering: "(i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information." 45 C.F.R. § 164.306(b)
> HIPAA and similar laws don't codify whatever we think is good computing practice today.
No, but that's what implementing regulations usually do. HIPAA regs mostly don't include minimum technical standards (most of the security minimum standards are procedural).
> Congress would have to re-write the law any time GCPs change
Well, sure, if the minimum standards were written into the statute, which is why they are usually in the much-easier-to-change implementing regulations. The guidance under the HITECH act in effect did some of this for HIPAA PHI, as it created minimum standards for PHI to be considered "secured". But, generally, there's not much there, and its very difficult to make a solid case that any particular technical practice is necessarily a violation of the HIPAA Security Rule.
>I worked for a small medical company that had access to 20,000 PHI records
I can only imagine the data protection standards at small equipment manufacturers and old-school pharmacies. I'd guess their biggest security measure is keeping paper files in a locked office.
I think that might overall be a better strategy than a really half-assed digitization plan. Paper records aren't that high security, but they are moderately resistant to bulk theft: leaking 20,000 paper patient records takes a lot of physical effort.
A lot of those size companies are offloading their EMR security to larger EMR cloud providers. While it helps to protect the smaller companies, and is more cost effective then trying to manage it internally, I still wonder about security of those records, being how most of those are a web login that most if not everybody on the Internet has access too.
Most security decisions aren't taken by senior management. I am sure it is not Sony's senior management who decided to store passwords in clear text in the PSN.
Management focus would ensure everyone in the organisation focuses on security but most security breaches are the result of IT people doing stupid things or making stupid decisions on the ground. It's not senior management's role to check that you didn't introduce a SQL injection risk in your code. Like it is not senior management's role to check that the accounting department followed properly the latest US GAAP guidelines. It's down to employees being competent at what they do.
That's just not true. The direction of IT certainly is set by upper management, as well as the budget. If IT says 'we need an IDS' and management says 'it's not in the budget', what can IT do about it? If IT says 'it will take this long and this much money to change our password policy' and management say 'work on new things, not changing old things', what can IT do about it?
Senior management might not directly set the password policy, but they do say what you should work on, and by proxy, what you're not going to have the time to work on. And besides, what is the role of management if not keeping track of their employees? If an employee fucks up that bad, it's their managers fault.
And yes, if the accounting department was that incompetent, SOX says it's senior management's fault. That's what the yearly attestation is for.
Well, somehow engineers and architects manage to resist management pressures in favor for security, you don't see many bridges collapsing but they have financial constraints too. And accountants resist management pressures to bend the accounting standard, or they go to prison too.
IT is in many respect an unregulated profession. Pretty much anyone can declare himself a programmer. There are some regulations on certain systems but not on people.
I am not a fan of regulation but the current pace of data breaches is just unacceptable. If we don't find a solution, some old lawmaker will.
There are certain regulations about IT, enforced not by the government but by private companies (such as PCI).
I'm just going to have to disagree with you and move on about regulating the people, though. I see your point, but I just don't agree. If anything, I feel managers should be regulated, so they are only allowed to oversee positions where they have the knowledge to fully understand what their direct reports are doing, from front-line to c-level. That's what I feel is the problem.
SOX isn't a regulation of the programmer, it's a verification that his management actually doing their job overseeing him.
I am not saying that regulation is desirable. In fact it is going to be a major obstacle to innovation. What I am saying is that we pretty much see a major data breach every week. There are some instances where one can call them force majeure, like a zero day on a major security component in windows or linux. But there is no excuse for SQL injections vulnerabilities, unencrypted personal data, IT professionals logging-in to websites without checking the URL, unpatched systems, etc.
Complaining about budgets to fix these issues is like saying that the problems with collapsing bridges is that we don't spend enough fixing the structure. Well, it should have been built properly in the first place.
Yes, resources will have to be allocated to fix existing systems but I think the problem here is more fundamental than a problem of budget and management focus. We need to have a profession competent enough to build a bridge structurally sound even with average engineers.
And this is a general comment. We don't know yet how this particular breach happened.
"Complaining about budgets to fix these issues is like saying that the problems with collapsing bridges is that we don't spend enough fixing the structure. Well, it should have been built properly in the first place."
I'd like to think that engineers do want to build things properly, however to build something properly it usually involves more resources. The problem is when it comes down to brass tax the low bidder wins. I've worked in many big companies over many years, and yes I've hacked things together MANY times because of budget/time constraints. A lot of it was because of Management wanting to come under budget, or because they wanted to rush the product to be a hero.
I don't get where this idea comes from that engineers just want to do things in the worst way, do you think a doctor wants to kill his patients or do something that would endanger the patient if they didn't have to?
> Well, somehow engineers and architects manage to resist management pressures in favor for security
When this does happen, it's often because management's "security" request is either nonsensical--based on some puff piece they saw in an airport magazine--or they won't accept the necessary financial-costs/organizational-changes of doing it right.
It's no coincidence that the people with the most exemptions from security policy are usually the upper management.
> Well, somehow engineers and architects manage to resist management pressures in favor for security, you don't see many bridges collapsing but they have financial constraints too. And accountants resist management pressures to bend the accounting standard, or they go to prison too.
Generally, yes, but not always. Sometimes they get boxed in by management and forced to make bad choices. When this happens, it usually leads to a spectacular failure ... and then the scapegoat is found.
The most famous case is probably the Challenger space shuttle. At Texas A&M they make sure every engineering student reads the story [1] of the Morton Thiokol employees assessing whether or not it was safe to launch at such low temperatures. The engineers had solid doubts, and refused to declare it safe. The managers had pressure from every direction to get to "yes" and launch the bird already.
Finally, during the teleconference the night before, one of the engineers' superiors said "Take off your engineering hat and put on your management hat." A new recommendation was put out (bypassing the engineers who still refused to sign off), and the next morning they got their launch like they wanted.
Just over a minute later the shuttle exploded, killing the crew and putting American manned spaceflight on a multi-year hiatus.
There are always cases like this in every profession. Some dam in Italy which collapsed for a similar reason, incompetent doctors, Enron, etc.
But when you go see your doctor, you do not rely on the fact that he is one of the best doctors in the US. You have no way to tell. You rely on the fact that even an average doctor is good enough to not miss something important.
Well the problem with IT security as it is now, is that we see major breaches almost every week. Some were difficult to avoid but in many case it is just because of bad security design, and in some case people developers ignoring completely security.
And I am sure Sony's management didn't box the developers in storing passwords in clear text.
Actually in most cases they are, Most security issues are shown on the yearly/quarterly/weekly compliance scans. A majority of the time this gets forwarded to senior management requesting resources to fix said security issue. I've seen first hand senior management direct IT teams to sweep it under the rug so to say. Any competent IT team is well aware of their security concerns, however if management isn't on board it just becomes another skeleton in their closet.
You should be upvoted way more. I also worked in healthcare IT for three years and security was basically an exercise in checking boxes to claim HIPAA compliance. So long as everyone could avoid fines or being sued by the office of civil rights we were considered secure.
During an auto accident & court case everyone- doctors, lawyers, insurance- used my SS# as a case identifier even though I never gave it out. If a few percent of these are sloppy, them one could be screwed. Some meth people like to dumster dive insurance companies and the like.
I'm waiting for a case of plausible deniability through abstraction of identity to cause the whole SSN based system to collapse. As sloppy as our government and corporations have gone about handling our SSN, there is ever increasing lack of confidence that it individually and uniquely identifies anyone.
If you are ever unfortunate enough to be unemployed in California, and claim unemployment benefits, they print your social security number right at the top of every correspondence. Idiotic.
That's what an SSN means; it's literally what it's for. The problem is the idiots who use it as some kind of secret unique identifier for people, when it was never meant to be that.
Don't lose heart - working in the industrial safety business, the 'just check the boxes' tactic is very familiar. Things are finally coming around after many years (and many, many incidents) though, as companies, and the courts, realise that ticking boxes isn't the be all and end all.
At the moment, it's very easy for companies like Anthem to claim that they were the victim of a 'very sophisticated' cyber attack, when in reality they were probably just wilfully negligent. As understanding seeps into the regulators and law-makers minds, businesses will start to comply with the spirit of security / HIPAA, not just the boxes. In the mean time, the best you can do is continue to advise clearly and calmly why things should be done. If the management doesn't accept your reasoning, at least you have done your due diligence.
I agree. One medical student I know personally (whom I shall not reveal publicly) was interning in a hospital recently and during the course of their learning there had a very good opportunity to just take away tons of private medical data with them. They of course didn't take that opportunity, but from what they told me, it's very, very easy to do that. Frighteningly easy.
205 comments
[ 3.2 ms ] story [ 244 ms ] threadBasically to sum it up: "Your Social Security Number, Name, Birthdate, Address, and everything else needed to steal your identity is at risk. But don't worry! Your credit card number is safe."
[1] http://whois.icann.org/en/lookup?name=anthemfacts.com
To give 'em the benefit of the doubt-- perhaps perhaps perhaps they needed that particular domain in anticipation of some other instance where they dropped the ball but your conclusion is more compelling.
"The company also confirmed Friday that it found that unauthorized data queries with similar hallmarks started as early as Dec. 10 and continued sporadically until Jan. 27. ... The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27, Binns said."
http://www.sacbee.com/news/nation-world/national/article9480...
http://webcache.googleusercontent.com/search?q=cache%3AjPUYS...
That forces individuals to treat it as sensitive information.
Seriously, if California is giving driver's licenses to whoever wants them (and who's 16 and can learn to drive), I don't see the harm sending out centrally verifiable identity cards. The costs of implementing such a system have gone way down over the years, but to be sure, bid out the job and finance it with surcharges on credit report checks, and any other transaction that involves verifying identity. There are surcharges everywhere else in the transaction. What probably concerns a lot of people is that they don't want the government to know every time they get a credit check. Not sure how you solve that, other than making this a GSE or legal monopoly.
>I'm guessing its some kind of privacy issue behind there not being a similar system in US?
The social security system, which is a federal program, produced a unique number for all citizens. The states quickly started using this number in their own bureaucracy and everyone else followed (banks, etc). Now its a defacto numeric identifier.
The big problem here is how easy it is to get credit in my name if you have my SSN, like its the root password to my finances. Credit is far too easy to get in the states from a paperwork perspective. I should not fear other people getting my SSN. Banks and other organizations need to realize that if someone presents my SSN, that doesn't mean its me. More numbers or psuedo-SSN's aren't the fix here. The fix is due diligence and better fraud protections.
Not to mention everyone already carries a unique identifier thats easy to verify - your fingerprint. I think SSN + fingerprint plus a letter sent to my home that needs to be signed should be the minimum to open any line of credit. SSN alone should be worthless.
Its also bothersome that PCI-DSS and other regulations treat credit cards like NSA secrets, which is fine as they should be encrypted, but there's no legislation or guidelines to make SSN's encrypted. SSN's sit as plain-text in every database in the US. That's kind of scary and probably invites hacks.
Actually a surprising number of people don't. For either medical (dermatitis), work (manual laborer wearing them out, operation room personnel scrubbing them out...) or age related reasons.
There is also the Real ID Act[1] that trying to establish federal id requirements. This is going to cause some problems and look for it in the news. It is a DHS enforced national ID law.
And yes, some of the folks in the US believe a national ID that is needed to buy, sell, or get a job would be a little too close to the Bible's mark of the beast. That gives quite a lot of friction to any national id.
1) http://en.wikipedia.org/wiki/REAL_ID_Act
You're exaggerating a bit into a strawman.
I strongly oppose REAL ID (which, by the way, was around for a while before the DHS existed). And as a "tooth fairy agnostic" as Dawkins would say, I'm not the least bit concerned about the number of the beast.
What I am concerned about - and this goes the same for anyone else with whom I've discussed the issue - is, why is it the federal government's business at all when and how I "buy, sell, or get a job"? This seems like a tool for the federal government to get its grubby mitts into more stuff that's not within its enumerated powers.
Perhaps I should have separated that from the DHS stuff, but it is a belief of some folks (enough who vote to have made a long difference) and it goes to why we don't currently have a national id. It is part of the history in the US and the original poster is not from the US and wanted some reasons.
DHS is the agency currently charged with Real ID Act oversight. I'm not sure the who is important before the law is implemented.
The problem with this number is that, similar to Sweden, it can be used as an identity number and as a password. This is a terrible thing to do. In your small country of homogenous socially protected people, you may not have a widespread problem of theft. In the US, however, there is an entire industry of stealing these numbers in order to take out new lines of credit, buy items at stores, and then not pay them off.
Your income is strongly correlated with your health. The lower your income the more likely you are to suffer from conditions such as obesity and diabetes, and the higher your mortality rate will be. Health insurers can use income figures as one factor when calculating the overall risk of a policy.
It's not illegal, but it violates the contract you sign with them and lets them off the hook for paying for things. Mind you, they'll still keep the money you paid them.
Possibly Affordable Care Act compliance? Calculating income-based health care subsidies appropriately?
It's because they offer disability benefits, which tend to be a percentage of one's income.
http://www.anthem.com/wps/portal/ahplife?content_path=life/n...
My employer uses Anthem for health insurance but another company for disability, so if our data leaked our income data should be safe. We'll see!
http://www.clarkhoward.com/news/clark-howard/personal-financ...
"Fees for Identity Theft Victims: Free; Non-victims: $10"
If I wait to become a victim, I can save tens of dollars!
[edit]: Disclaimer - I'm CTO at @menlosecurity.
It seems to me that its the usual issue. People don't see the need for protection until they've been hit. It seems to be a cost that doesn't make sense to them. They don't even care anymore.
Then they get hit hard. But it can take years.
Disclaimer: I built the first IPS to be commercialized and yes we used signatures amongst other things.
"The scanner says your server is vulnerable"
"Ya, we patched that vulnerability weeks ago"
"The scanner says it's vulnerable"
"OK.... looks at scanner - oh, it's just reading the banner, and not taking into account that the major rev didn't change, it's patched"
"The scanner says it's vulnerable"
"OK... so what if I change the banner so it doesn't pick it up as vulnerable?"
"The scanner says it's secure now, thanks!!"
The guys who know their stuff in security generally have a desire to actually get paid well, and have time to do legitimate research. They don't really have a desire to sit in a corporate job dealing with the mountains of bureaucratic bullshit that goes along with security in a corporation. Do you really want to be the guy who gets thrown under the bus because you had to disable strong passwords because the CEO was angry he needed both upper and lower case letters in his AD password?
Except those strong password policies don't strengthen security at all, neither in theory nor practice. Congratulations, the CEO's password is now "qweRTY" and it's written on a yellow sticky-note on his monitor.
I literally tell my parents to have a secure password they write on a post-it note. The odds of someone breaking into their house for their password is about 1/10000th the odds of someone cracking their simple password on a website and getting the keys to the kingdom.
Anthem’s own associates’ personal information – including my own – was accessed during this security breach.
They've done a bad job of protecting their customer's data, and an even worse job of explaining what actually happened.
It's great that they "made every effort to close the security vulnerability". How's that going?
They hired Mandiant to "evaluate our systems and identify solutions based on the evolving landscape." Is "evolving landscape" CEO-speak for "Oh, god, we're still leaking customer data like a sieve, make it stop!"?
I'm just going to keep speculating, because if Anthem's not going to bother speaking plainly, I'm just going to assume the worst.
I love that quote, they try to cover their asses by saying we closed the vulnerability. My question is why did you wait till it was taken advantage of?
2/4/15 (umm, today): http://www.careers.antheminc.com/jobs/cloud-encryption-secur...
1/30/15: http://www.careers.antheminc.com/jobs/checkpoint-firewall-ex...
Could be a coincidence, but I wouldn't be surprised if they were compromised several days before this press release.
https://www.privacyrights.org/how-to-deal-security-breach covers situations like this where there's been a security breach - how to order and monitory credit reports, put in a security freeze (which makes it harder to open up new credit cards or credit lines in your name), etc.
https://www.privacyrights.org/content/identity-theft-what-do... covers when you've actually been the victim of an identity theft
A question to ask is how secure is a large network of EHRs going to be? I don't know of data showing the frequency or severity of EHR security breaches but it would be surprising if there were not at least some. In any case, this kind of info would probably not be made available to the public, even though it should be.
Anthem's poor job of keeping confidential info private is especially distressing given the fact that many health insurers are also health care providers (e.g., hospital systems). Computer systems are very hard to operate securely, and after what happened, it's hard to trust these corporations will take the task seriously.
I've been quietly predicting that security of health information is going to become the Next Big Privacy Issue as the Internet of Medical Records grows ever larger.
LOL, everyone 'on the inside' (by that I mean: at least anyone who works on computers, software or networks professionally) knows the answer to that question: it's going to be a train wreck. There is not a single person on this planet who really understands just 1% of the software, hardware and network infrastructure they/we work on every day; let alone how all of these interact. Computers, in 2015, are so complex, and our 'engineering' is so shoddy, that there is no way to safeguard networked data for anyone but the most determined and resourceful parties (by which I mean organizations of which there are but a handful in the whole world, and even those can't seem to keep secrets really secret.) Either way, there is no way at all that a non-IT focused organization like a healthcare insurer or provider will be able to keep data secure, and it's only a matter of time before incidents like this will become commonplace.
Consider: I have an in-law who is a partner in a largish practice in my area. We talked a bit about the business aspects of the practice when she became a partner because she had to put up with all the management crap all of a sudden and it was nice for her to vent to people who had similar issues. Anyway, point being I know a bit about the finance and management of a rather typical organization like that. These people will in the next 5 years somehow get access to our, by then, country-wide EHR system. They work on computers they buy from the local computer shop because the prices 'seem reasonable' and Jimmy who works there dates the secretary or whatever; so Jimmy (whose training was in swapping out hard disks and reinstalling Windows) is the one who 'maintains' their systems, too. Their cash flow is so precarious that some months they can't pay full wages to the partners. How will an organization like that ever be able to secure their network? Their 'security' consists of the cable guy setting a non-default WPA key on their wireless router.
And of course, they're required by the organization that maintains the EHR system to have 'regular auditing of their systems' to ensure security. Which consists of a couple of big 4 consultants who interview the management, tick some boxes on their checklist and make a 50-page CYA report out of that, without ever having touched a server or network.
I got out of the security game 10 years ago, and it was already scary back then. Maybe somebody who still works there will feel otherwise, but computer security (on the blue team) is like FEMA sending two guys with a shovel and a Walmart plastic bucket to a dike breach. (whereas on the red team it's shooting fish in a barrel, of course.) We are truly fucked, because too few people understand the magnitude of the problem and as long as there are no problems and you don't look too closely at the robustness of things, using computers is much cheaper than the alternatives.
How to implement that technically becomes an interesting question, but between pocket spies with storage measured in tens of GB to TB, and various forms of key authentication, it seems that there are several possible options.
The whole discussion above regarding the false crime of "identity theft" (it's impersonation fraud facilitated by the data holder's negligence) is another point of increasing frustration for me.
I've been having a few related discussions with David Brin (a data cornucopian) on Google+. Brin, hardly to my surprise, responds with extreme derision.
http://www.nytimes.com/2015/02/05/business/hackers-breached-...
> Anthem learned of the hacking last week and called in Mandiant over the weekend. The company was not obligated to report the breach for at least several more weeks but chose to do so now to show that it was treating the matter seriously.
As user jakejohns has pointed out (https://news.ycombinator.com/item?id=9002003), the WHOIS points to a creation date for ANTHEMFACTS.com of `2014-12-13` with GoDaddy.
have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data
And you were doxxed nearly two months ago. Or maybe not, because Anthem goes out of its way to NOT tell you when this occurred. If you were affected here's how they will notify you:
We continue working to identify the members who are impacted. We will begin to mail letters to impacted members in the coming weeks.
So sometime within the next month you will get a snail mail telling you that you were doxxed... and that letter will probably be extremely vague about the details, but will be quite heavy on the PR and perhaps even have a nice picture of Grandpa CEO at the top.
Anthem is not taking this seriously. No matter what they are trying to communicate with their PR gloss, they seem to care about covering their asses first and really don't seem to give a hoot about all your personal data that is out there in the wild.
More like AnthemLies.com...
A pertinent example of doxxing is what the FBI did to linking DPR to Ross Ulbricht due to the mistake he made on a bulletin board.
Why does the victim have to be anonymous?
Kind of like how troll now means 'person who is an asshole on the internet' instead of 'post designed to rile up and elicit frivolous responses'. The meaning has changed over time for better or worse.
http://en.wikipedia.org/wiki/Doxing
And didn't the GGers "dox" Randi, Anita, Brianna, etc?
But I'm even more old school because I'd just call it skiptracing instead of doxing....
Essentially, doxing is revealing and releasing records of an individual, which were previously private, to the public.
Where's the "reveal" in this hack? They'll use the hacked info privately or sell it.
Did you read the comments completely? If Randi, Anita, and Brianna weren't anonymous but they were "doxed" it seems to me that "doxing" doesn't have to refer to revealing info of an anonymous person.
Could it be that the anthemfacts.com domain was intended for a different use, or to prevent someone else from registering it, and was re-purposed after the intrusion to present Anthem's case? I don't know much about SEO, but quarantining negative information on a separate, immediately available domain might be the motivation here.
Seems very unlikely.
And I'm sure they're quarantining negative info on an unrelated domain, but why would they even need to consider repurposing an existing domain name, instead of buying one? We're not talking about somebody doing a side project and hoping to save a few bucks by repurposing another domain name. And it takes all of a few hours to buy a domain name and have it propogate.
The website itself says "we have created a dedicated website ... anthemfacts.com" for this incident.
[Edit: replaced two egregious uses of "website" with "domain"]
My point is that while it is used for that purpose now, that doesn't mean that it was registered for that purpose back in mid-December. Your theory about the breach occurring earlier and being concealed until now is certainly possible, but the domain registration date on its own is not supporting evidence.
Maybe after the Stanford (and other such announcements), they had decided in mid-December to snag anthemfacts.com and then, after learning of the breach, decided to put it into action for this monumental event. However, what are the chances that it took one week for a health insurer, upon discovering the breach, to launch its PR campaign, nevermind fully understand the nature of the breach to be able to publicly announce it. Given the delicate nature of the situation, as well as its historic size, this is not something that a health insurer would want to prematurely make an announcement on without being very sure that the damage is contained. And they contained it within a week? I realize that I'm slightly begging the question here, but yes, part of my skepticism comes from how quickly they were able to move...One week would make it one of the fastest discoveries-to-announcements, which given the scope of the breach, is pretty amazing.
Edit: It's worth pointing out though that there would be records of them contacting the FBI and Mandiant, and I would give them the benefit of the doubt that they would make such contacts upon discovery of the breach...so if the FBI confirms that the contact happened a week ago, I would take Anthem at their word.
> "Anthem’s Mr. Miller said the first sign of the attack came in the middle of last week, when a systems administrator noticed that a database query was being run using his identifier code although he hadn’t initiated it."
AnthemFacts was registered 54 days ago, which would be within the legal timeframe for disclosure that the Wall Street Journal notes in their article:
> "Federal law requires health-care companies to inform consumers and regulators when they suffer a data breach involving personally identifiable information, but they have as many as 60 days after the discovery of an attack to report it."
Lastly, some more "specifics" that NY Times didn't mention:
> "Investigators tracked the hacked data to an outside Web-storage service and were able to freeze it there, but it isn't yet clear if the hackers were able to earlier remove it to another location, Mr. Miller said. The Web storage service used by the hackers, which Mr. Miller declined to name, was one that is commonly used by U.S. companies, which may have made the initial data theft harder to detect."
[1] http://www.wsj.com/articles/health-insurer-anthem-hit-by-hac...
"The company also confirmed Friday that it found that unauthorized data queries with similar hallmarks started as early as Dec. 10 and continued sporadically until Jan. 27. ... The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27, Binns said."
http://www.sacbee.com/news/nation-world/national/article9480...
I'm especially unimpressed by Anthem's failure to hire a good copy editor for such a vital message, as evidenced by the painfully obvious error at the end of the penultimate paragraph: "share that information you" should read "share that information with you".
https://news.ycombinator.com/item?id=7369725
https://news.ycombinator.com/item?id=6583776
https://news.ycombinator.com/item?id=7369713
https://news.ycombinator.com/item?id=3482991
https://news.ycombinator.com/item?id=6583879
https://news.ycombinator.com/item?id=3483009
It seems like a risk with no benefit, with the only justification being "all data could be valuable eventually so let's never delete even the personal sensitive data." Ironically, the data did eventually become valuable - to someone else.
It used to be common for insurance companies to look carefully at your coverage record, and if you had any time during which you were not covered, they'd say stuff like "Oh, that horrible cancer you have? Yeah, we're not paying for it because it was a 'pre-existing condition' that you got during that weekend you had between two jobs six years ago." And the law let them do that.
Health care in the US is . . . the phrase "utterly broken" isn't strong enough. We need a good fifteen syllable German word for how fantastically fucked up it is.
Of course I'm trying to explain Anthem hanging onto data. Probably it was totally selfish ("we can send them spam") or sheer laziness.
This is just a random link describing one scenario - http://www.yourwisconsininjurylawyers.com/library/claim-deni...
I believe this is no longer allowed under relatively recent law.
IIUC, not since Obamacare went into full effect in 2014. One of the main provisions of it was that it became illegal to deny coverage based on pre-existing conditions.
They still need the records because one of the other effects of Obamacare is that it became illegal to not have health insurance, but it's broken in a different way now.
I am concerned that if the industry doesn't fix this, regulation will.
It will mean licenses and certifications to have the right to store personal data, regulations to comply with in term of system architecture with audits and penalties for breaches. More bureaucracy and processes. You won't create a website over a week end.
Currently any idiot can create a database and store sensitive information without even knowing what a SQL injection or a rainbow table is.
Most professions are regulated: architects, doctors, pilots, farmers, bankers, even restaurants! And each time regulations come as a result of fk ups: banks or homes collapsing, conmen selling snake oil, food poisoning, etc. IT is the only sector where mild amateurism is not only acceptable but rather the norm more than the exception.
(Hint: http://www.ecfr.gov/cgi-bin/text-idx?SID=9e10f619aa05225aef1... Subpart C—Security Standards for the Protection of Electronic Protected Health Information)
Yet companies I work with now big and small look at security as just a bunch of checkboxes on a government audit form. As long as upper management continue to see security as a cost loss center, and continue to only do the minimum nessissary to pass said audits. These breaches will continue to happen.
I don't think we proactively pentest our stuff either. I've never heard of any security discussions but that may just mean I'm not being included. We have a few more zeroes after our PHI record count too.
What provision of HIPAA does this actually violate?
Its clearly a bad practice (and obviously increase the risk of a breach, which, if it occurs, becomes an issue under HIPAA and related laws), but AFAIK neither HIPAA and subsequent modifying statutes nor the regulations adopted thereunder actually mandate particular password handling practices. Or is there something addressing that in the "guidance" issued under the HITECH act (I remember that establishing, by reference, some standards for encryption, and it wouldn't have been out of place for it to establish password-handling practices)?
HIPAA and similar laws don't codify whatever we think is good computing practice today. Down that path lies madness. Congress would have to re-write the law any time GCPs change, or else the law would become a hindrance to the very goals its trying to achieve (in this case, healthcare-related information security). Instead, the law is written more generally, with "reasonable" being the keyword that lets the legal system refer to current practice.
(My adaptation of "GCP" is stolen shamelessly from the clinical research folks, who use it to refer to "good clinical practice", https://en.wikipedia.org/wiki/Good_clinical_practice.)
But they also have freedom to select the particular security measures to use, considering: "(i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information." 45 C.F.R. § 164.306(b)
> HIPAA and similar laws don't codify whatever we think is good computing practice today.
No, but that's what implementing regulations usually do. HIPAA regs mostly don't include minimum technical standards (most of the security minimum standards are procedural).
> Congress would have to re-write the law any time GCPs change
Well, sure, if the minimum standards were written into the statute, which is why they are usually in the much-easier-to-change implementing regulations. The guidance under the HITECH act in effect did some of this for HIPAA PHI, as it created minimum standards for PHI to be considered "secured". But, generally, there's not much there, and its very difficult to make a solid case that any particular technical practice is necessarily a violation of the HIPAA Security Rule.
I can only imagine the data protection standards at small equipment manufacturers and old-school pharmacies. I'd guess their biggest security measure is keeping paper files in a locked office.
Management focus would ensure everyone in the organisation focuses on security but most security breaches are the result of IT people doing stupid things or making stupid decisions on the ground. It's not senior management's role to check that you didn't introduce a SQL injection risk in your code. Like it is not senior management's role to check that the accounting department followed properly the latest US GAAP guidelines. It's down to employees being competent at what they do.
Senior management might not directly set the password policy, but they do say what you should work on, and by proxy, what you're not going to have the time to work on. And besides, what is the role of management if not keeping track of their employees? If an employee fucks up that bad, it's their managers fault.
And yes, if the accounting department was that incompetent, SOX says it's senior management's fault. That's what the yearly attestation is for.
IT is in many respect an unregulated profession. Pretty much anyone can declare himself a programmer. There are some regulations on certain systems but not on people.
I am not a fan of regulation but the current pace of data breaches is just unacceptable. If we don't find a solution, some old lawmaker will.
I'm just going to have to disagree with you and move on about regulating the people, though. I see your point, but I just don't agree. If anything, I feel managers should be regulated, so they are only allowed to oversee positions where they have the knowledge to fully understand what their direct reports are doing, from front-line to c-level. That's what I feel is the problem.
SOX isn't a regulation of the programmer, it's a verification that his management actually doing their job overseeing him.
Complaining about budgets to fix these issues is like saying that the problems with collapsing bridges is that we don't spend enough fixing the structure. Well, it should have been built properly in the first place.
Yes, resources will have to be allocated to fix existing systems but I think the problem here is more fundamental than a problem of budget and management focus. We need to have a profession competent enough to build a bridge structurally sound even with average engineers.
And this is a general comment. We don't know yet how this particular breach happened.
I'd like to think that engineers do want to build things properly, however to build something properly it usually involves more resources. The problem is when it comes down to brass tax the low bidder wins. I've worked in many big companies over many years, and yes I've hacked things together MANY times because of budget/time constraints. A lot of it was because of Management wanting to come under budget, or because they wanted to rush the product to be a hero.
I don't get where this idea comes from that engineers just want to do things in the worst way, do you think a doctor wants to kill his patients or do something that would endanger the patient if they didn't have to?
When this does happen, it's often because management's "security" request is either nonsensical--based on some puff piece they saw in an airport magazine--or they won't accept the necessary financial-costs/organizational-changes of doing it right.
It's no coincidence that the people with the most exemptions from security policy are usually the upper management.
Generally, yes, but not always. Sometimes they get boxed in by management and forced to make bad choices. When this happens, it usually leads to a spectacular failure ... and then the scapegoat is found.
The most famous case is probably the Challenger space shuttle. At Texas A&M they make sure every engineering student reads the story [1] of the Morton Thiokol employees assessing whether or not it was safe to launch at such low temperatures. The engineers had solid doubts, and refused to declare it safe. The managers had pressure from every direction to get to "yes" and launch the bird already.
Finally, during the teleconference the night before, one of the engineers' superiors said "Take off your engineering hat and put on your management hat." A new recommendation was put out (bypassing the engineers who still refused to sign off), and the next morning they got their launch like they wanted.
Just over a minute later the shuttle exploded, killing the crew and putting American manned spaceflight on a multi-year hiatus.
--------------------------------------------------------------------------------
[1] http://ethics.tamu.edu/Portals/3/Case%20Studies/Shuttle.pdf
But when you go see your doctor, you do not rely on the fact that he is one of the best doctors in the US. You have no way to tell. You rely on the fact that even an average doctor is good enough to not miss something important.
Well the problem with IT security as it is now, is that we see major breaches almost every week. Some were difficult to avoid but in many case it is just because of bad security design, and in some case people developers ignoring completely security.
And I am sure Sony's management didn't box the developers in storing passwords in clear text.
At the moment, it's very easy for companies like Anthem to claim that they were the victim of a 'very sophisticated' cyber attack, when in reality they were probably just wilfully negligent. As understanding seeps into the regulators and law-makers minds, businesses will start to comply with the spirit of security / HIPAA, not just the boxes. In the mean time, the best you can do is continue to advise clearly and calmly why things should be done. If the management doesn't accept your reasoning, at least you have done your due diligence.