Officials at Anthem detected the theft of the trove of customer information as it was being sent from its computers on Jan. 29, according to one of the people, which they said is still in its early stages.
As others have pointed out, running a whois on the anthemfacts webpage returns a registration date of 12/13/2014 [1] which is most likely when the breach occurred. Not January 29th.
The domain doesn't prove they knew anything then. It's too generic, it's not like it was something like anthemdatabreachfacts.com.
The company just changed its name from Wellpoint to Anthem in December and could have bought up a bunch of "anthem*.com" domain names around then to keep in reserve.
Or they bought the domain back then and planned to use it for this explicit purpose. It's not a question of "will" a big company get hacked, it's a question of "when".
Also I'm sure a major healthcare company that handles tens of millions of sensitive personal records has enough foresight to see a data breach coming. HIPAA and ACA probably mandate healthcare companies having this exact kind of plan ready to deploy in the event of a hack.
Come on, give them some credit for the facts they did provide. They detected a breach where sensitive data was stolen on January 29th. This does not preclude that they also detected a breach first, on or before December 13!
Did anyone record any downtime of their public-facing systems in this time? You know when you're a sysadmin and you notice something really bad happening, you shut down the affected systems immediately and try to minimize the damage? You never know what kind of back doors have been put in place, after you are breached.
It is also entirely plausible that the breach is still ongoing now, after a month and a half why not, but they are just no longer able to detect it. These people are some of the most important cogs in the health care machine, the insurance providers! If they had some kind of downtime that was actually affecting their ability to provide services, well then they might actually be subject to some real form of legal action, maybe even pay serious damages to their customers. Thank heavens that didn't happen!
They are paying lip service to security because it's not as important to them as, you know, basically anything else. Like say, receivables. It's only identity theft!
"The company also confirmed Friday that it found that unauthorized data queries with similar hallmarks started as early as Dec. 10 and continued sporadically until Jan. 27."
"...and increased pressure on the U.S. government to respond more forcefully."
Rather than responding to hacks with counterattacks or an attempt at diplomacy, the first priority ought to be to strengthen the defences of companies handling sensitive data.
While a large system may never be made impenetrable, it could certainly be a lot harder and more costly to pull off an attack against most of these companies than it is today.
If this is considered a crisis, redirecting a few of those billions earmarked for NSAs offensive capabilities towards vetting and improving the security of US companies would make a good strategy.
Indeed, that seems very appropriate though arguably many years too late. I am not an American myself, but I hope for their sake that it makes it through Congress this time.
The 2 headlines and claims aren't mutually exclusive. The FBI investigated reports that the Russian government was tied to the hack, and concluded they weren't. That doesn't mean the actors weren't Russian citizens and/or living in Russia.
Just as an example, the Target and Home Depot breaches were almost certainly conducted by the same fairly well-known group of Russian hackers and fraudsters, but they have no known ties to the Russian government.
Is this just becoming the easy thing to do? Blame China or Russia while the story is still hot off the press? It seems that every time a company is hacked, the first thing they do is exclaim how some big, scary government is behind it or how "incredibly complex" the hack was. "Oh yeah, we lost your entire life's information, but it was the most complicated hacking attack we've every seen!" "Our team has never seen something of this magnitude." "We immediately disabled the threat the second our complex internal systems detected the activity." Every hack has the same corporate response.
I was legitimately surprised when the FBI actually stood behind their NK assertion with the Sony hack. Normally when the US randomly points their finger at some government, when they're challenged they back down or when you dig into it it is an unnamed source in US state/intelligence.
So maybe in the Sony hack case it was NK, however I'd love to see the US's evidence. If they have two dozen proxies, one of which happened to come from NK thus that "proves" it was NK, then sorry, but no. However if they can prove that one connection was not proxied somehow and originated from NK then fair call.
I doubt they'll ever release technical information however.
Super easy and really annoying but probably relatively effective PR. The news on this stuff sees lots of eyeballs compared to follow-ups or clarifications. Plus the consequences for being found wrong downstream and pretty minimal, sadly. Casting these kinds of aspersions redirects fear & anger from the company to boogeyman nation-states.
[Edit: I just noticed these are government and not private analysts making the claims, so my comment is now a bit cynical for my own taste... but I think it's still effective PR and I expect private security companies to field more "So you're not saying is WASN'T North Korea, right?" kinds of questioning from corporate clients.]
Yeah, I don't object to suspecting our intelligence agencies have a habit of using information to benefit their budgets in that way, especially when there are opportunities to be technically accurate but let the media fill in the blanks (ie: "We think the hackers were Russian" becomes headline: "Russia involved in hacks").
There's a history of state-sponsored and not so state-sponsored cybercrime from both these countries against the United States and US businesses, so it's not an assumption that's too far off the mark. Assumptions don't equal guilt, but even the headline says "suspected".
This is SSN data that was stolen, it's a whole different beast that the FBI's kerfuffle (to put it lightly) with the Sony Pictures hack.
> This is SSN data that was stolen, it's a whole different beast that the ... Sony Pictures hack.
I can't tell which one you think is more serious. It sounds like you think it'd be a very serious matter if SSN data was stolen. But haven't the vast majority of SSNs been available on the various blackhat markets for many years?
The alternative, perhaps equally Occams-Razor-friendly explanation is that only hacks where China can be/is blamed make the news. Boring run-of-the-mill criminal syndicates don't cut it any more.
This attitude is pervasive on HN, and I find it a little baffling. If someone took advantage of a lax property-management company to successfully burgle an apartment complex, I can't imagine anyone being so cavalier about pursuing the actual criminals behind the theft.
Even if the apartment complex didn't lock the doors and didn't allow tenants to put locks on the doors? If the apartment complex was supposed to have employees that install and check locks and cut the budget? If those cuts helped the apartment complex turn $2.56B in net income last year?
So we should expect that criminals, who by definition violate laws and regulations, won't do something simply because it is illegal?
In that case, we should just put trespassing and breaking and entering laws on the books and call it a day, that should stamp out the problem immediately.
There can be more than one bad guy. If your maintenance guy left the door unlocked, and a burglar walked in and stole all your shit, then both of them are responsible.
I take it as a matter of practicality. Network intrusions are, as a rule:
a) much harder to attribute,
b) impossible to prosecute (Assume it is Russia or China, what is your recourse? the U.S. is already hacking them too, under slightly different rules, and any other response is just a needless international incident. If it is people in another country, not associated with their government, there is even less you can do), and
c) possible, at least in theory, to defend against robustly (compared to doors and locks which are always vulnerable to literal brute force, without the need to be particularly clever about it).
So, given that punishment is impossible and prevention is possible, focusing on the second is a good idea. Or, at least, in some combination of prevention and mitigation (including insurance, or say, ways of detecting and changing stolen SSNs or credit card numbers with minimal disruption). Now, I am not saying it's the fault of a single insurance company. Security is pretty hard to get right and we systematically under-prioritize it when developing the technologies and systems we use. But as a society, making our computer systems more secure is more cost effective than keeping pilling up cyber crime laws that are unenforceable unless you happen to get lucky enough that the hacker is among the 1/20th of the world population you have jurisdiction over, or getting into a harmful retaliatory mode under ideas like "cyber-warfare".
p.s. By "possible to defend against robustly", I mean when you trust the suppliers of your computing base to be non-malicious and you have ensured physical security (which you can enforce by law and national defense and whatever other age tested methods people/groups/nations have used to secure their property for millenia).
I have no problem with them pursing the criminals.
However, the criminals lately always seem to be "China" or "Russia" rather than "Chinese individuals" or "Russian individuals". The reason for this is that practically every contract includes an escape clause for "Act of War" by a foreign state but not for foreign individuals.
To further your analogy, if someone burgled an apartment complex because the manager left the skeleton key under his doormat, you can be sure that the apartment manager would be getting prosecuted for gross negligence as well as the individual who burgled the apartments.
It's time that an IT breach carry a charge of gross negligence against the CEO. Suddenly, IT will have lots of funding and importance.
Many CEOs are salesmen or MBAs. They have nothing but contempt for IT. It's just a necessary cost center, funded at the minimum possible level.
HIPPA violations should be like Sarbox. The CEO should be held personally responsible, ideally by being terminated and then prosecuted. Then, and only then, will the average CEO take any of this seriously.
If it was really detected at egress then that would make it a sloppy operation. The Chinese should object to the FBI insulting their espionage teams - or say it was just a training exercise.
I honestly don't care who did this. Can we please take public key cryptography mainstream now. The fact that basic metadata like Name, birthdate mother's maiden name and SSN are sufficient to gain access to many aspects of my life are ridiculous.
What I don't want to see is knee-jerk legislation that erodes our privacy and rights further.
Really, just mandate by an act of congress that companies need to rely on public key cryptography within 5 years for everything and you'll see user-friendly solutions appear really friggin quick.
I remember back when I was in banking when they announced some crazy retention policies on all communication (written and voice) that wasn't technically feasible at the time congress passed the laws requiring those retention policies. Within a few years, there were a bunch of vendors with solutions for the banks to implement. Necessity is the mother of invention. Invent a necessity through an act of Congress and people will invent.
Do you mean public key cryptography as a replacement to a world-readable SSN, or public key cryptography to prevent breaches like these?
The first suggestion would be much more secure but would be difficult and very lengthy to implement, and the second would not have helped in a situation like this.
I'm suggesting the former. For every transaction where my identification needs to be verified, I should be able to sign off digitally.
Identity Theft is a completely made up thing, that used to be called fraud. When it was called fraud it was the responsibility of the institutions to protect themselves. Instead they use the word identity theft to make it the problem of the victim. If someone goes to the bank and pretends to be me and gets a line of credit, spends a ton of money, I am left holding the bag since it destroys my credit rating. Yet, I didn't do anything at all wrong. These institutions rely on woefully inadequate measures to determine identity and when something goes wrong, the person who should pay for inadequately verifying identity is the financial institution that messed up and gave credit to the wrong person under false pretenses.
Anthem is my insurer and now I'm responsible for dealing with the fallout from every institution's completely inadequate processes for verifying identity. How is that fair?
The solution isn't hard, you'd get an account with an identity signing service that goes to great lengths to confirm your identity. Once your identity has been confirmed, you either generate your own private and public keys and upload your public key to them or they can generate both on your behalf. After that, you either host your own service to sign with your private key or you redirect signing to the identity provider if they generated a key for you.
This is not a pipe dream. It just requires mandating that companies need to require that you sign off on things cryptographically. If you have not signed off, then the losses and consequences from fraud are their responsibility, not yours.
I remember reading cyberpunk novels when I was younger, Neuromancer and everything since, and thinking that all those stories about plucky hackers cracking governments and megacorps were hopelessly mired in the '80s. In the internet era, no group with millions of dollars to spend and a reputation on the line could possibly have such shoddy security.
Is it weird that this would make me feel ever so slightly better that my info got hacked?
I mean, I'm not a government worker or contractor. Even if I was, my password is randomly generated and not used elsewhere. If it wasn't for profit hackers, identify theft with social security numbers is perhaps less of a concern. And my password was randomly generated, so they can't get into any other accounts, so identity theft and fraud based on it is probably the biggest threat.
I really wish there was a good health insurance company (or a single payer system) I could switch to, but anthem is honestly the least bad company currently available to me.
What's the advantage to the Chinese government in acquiring the personal info of 80 million Americans? Are they going to bring it up in the next meeting with President Obama? "You know, Barack, it'd be a shame if all that info about your citizens got misused. A real shame-like." That'd be silly. I just don't see their motivation in being behind it.
The usual motivation for stuff like spying and data theft is the acronym MICE - Money, Ideology, Coercion, and Ego. It's unlikely to be money - we're already shipping dollars over there like crazy. It's also unlikely to be Ideology - the Central Committee are closet capitalists these days. Coercion - I don't see them trying to trade this for reducing our support for Taiwan. Ego. Ego is a possibility - but they're not teen-aged boys.
I haven't seen any official statement which implicates the Chinese government, only that the attack may have originated from China. Very different things. If the media is reporting it as the former than that's on them.
41 comments
[ 3.4 ms ] story [ 87.2 ms ] threadAs others have pointed out, running a whois on the anthemfacts webpage returns a registration date of 12/13/2014 [1] which is most likely when the breach occurred. Not January 29th.
[1]: http://whois.domaintools.com/anthemfacts.com
The company just changed its name from Wellpoint to Anthem in December and could have bought up a bunch of "anthem*.com" domain names around then to keep in reserve.
Also I'm sure a major healthcare company that handles tens of millions of sensitive personal records has enough foresight to see a data breach coming. HIPAA and ACA probably mandate healthcare companies having this exact kind of plan ready to deploy in the event of a hack.
Did anyone record any downtime of their public-facing systems in this time? You know when you're a sysadmin and you notice something really bad happening, you shut down the affected systems immediately and try to minimize the damage? You never know what kind of back doors have been put in place, after you are breached.
It is also entirely plausible that the breach is still ongoing now, after a month and a half why not, but they are just no longer able to detect it. These people are some of the most important cogs in the health care machine, the insurance providers! If they had some kind of downtime that was actually affecting their ability to provide services, well then they might actually be subject to some real form of legal action, maybe even pay serious damages to their customers. Thank heavens that didn't happen!
They are paying lip service to security because it's not as important to them as, you know, basically anything else. Like say, receivables. It's only identity theft!
"The company also confirmed Friday that it found that unauthorized data queries with similar hallmarks started as early as Dec. 10 and continued sporadically until Jan. 27."
Rather than responding to hacks with counterattacks or an attempt at diplomacy, the first priority ought to be to strengthen the defences of companies handling sensitive data.
While a large system may never be made impenetrable, it could certainly be a lot harder and more costly to pull off an attack against most of these companies than it is today.
If this is considered a crisis, redirecting a few of those billions earmarked for NSAs offensive capabilities towards vetting and improving the security of US companies would make a good strategy.
USA Today, 10/07/14: "Report: Russian hackers behind JPMorgan Chase attack"
Reuters, 10/20/14: "Russia ruled out as culprit in Chase cyber security breach, U.S. officials say"
[1]: http://www.bloomberg.com/news/articles/2014-08-27/fbi-said-t...
[2]: http://www.reuters.com/article/2014/10/21/cybersecurity-jpmo...
Just as an example, the Target and Home Depot breaches were almost certainly conducted by the same fairly well-known group of Russian hackers and fraudsters, but they have no known ties to the Russian government.
So maybe in the Sony hack case it was NK, however I'd love to see the US's evidence. If they have two dozen proxies, one of which happened to come from NK thus that "proves" it was NK, then sorry, but no. However if they can prove that one connection was not proxied somehow and originated from NK then fair call.
I doubt they'll ever release technical information however.
I don't see how this is even technically possible
[Edit: I just noticed these are government and not private analysts making the claims, so my comment is now a bit cynical for my own taste... but I think it's still effective PR and I expect private security companies to field more "So you're not saying is WASN'T North Korea, right?" kinds of questioning from corporate clients.]
This is SSN data that was stolen, it's a whole different beast that the FBI's kerfuffle (to put it lightly) with the Sony Pictures hack.
I can't tell which one you think is more serious. It sounds like you think it'd be a very serious matter if SSN data was stolen. But haven't the vast majority of SSNs been available on the various blackhat markets for many years?
The fact that Anthem could not be bothered to spend the time or money to secure their data until it was stolen has nothing to do with it. Not at all.
This is a ploy to get out from under the HIPAA liabilities.
Two things can be true: you should have locks on your door AND you shouldn't enter someone else's unlocked door.
(Ironically, not locking your doors could also increase your insurance rate...)
In that case, we should just put trespassing and breaking and entering laws on the books and call it a day, that should stamp out the problem immediately.
a) much harder to attribute,
b) impossible to prosecute (Assume it is Russia or China, what is your recourse? the U.S. is already hacking them too, under slightly different rules, and any other response is just a needless international incident. If it is people in another country, not associated with their government, there is even less you can do), and
c) possible, at least in theory, to defend against robustly (compared to doors and locks which are always vulnerable to literal brute force, without the need to be particularly clever about it).
So, given that punishment is impossible and prevention is possible, focusing on the second is a good idea. Or, at least, in some combination of prevention and mitigation (including insurance, or say, ways of detecting and changing stolen SSNs or credit card numbers with minimal disruption). Now, I am not saying it's the fault of a single insurance company. Security is pretty hard to get right and we systematically under-prioritize it when developing the technologies and systems we use. But as a society, making our computer systems more secure is more cost effective than keeping pilling up cyber crime laws that are unenforceable unless you happen to get lucky enough that the hacker is among the 1/20th of the world population you have jurisdiction over, or getting into a harmful retaliatory mode under ideas like "cyber-warfare".
p.s. By "possible to defend against robustly", I mean when you trust the suppliers of your computing base to be non-malicious and you have ensured physical security (which you can enforce by law and national defense and whatever other age tested methods people/groups/nations have used to secure their property for millenia).
However, the criminals lately always seem to be "China" or "Russia" rather than "Chinese individuals" or "Russian individuals". The reason for this is that practically every contract includes an escape clause for "Act of War" by a foreign state but not for foreign individuals.
To further your analogy, if someone burgled an apartment complex because the manager left the skeleton key under his doormat, you can be sure that the apartment manager would be getting prosecuted for gross negligence as well as the individual who burgled the apartments.
It's time that an IT breach carry a charge of gross negligence against the CEO. Suddenly, IT will have lots of funding and importance.
HIPPA violations should be like Sarbox. The CEO should be held personally responsible, ideally by being terminated and then prosecuted. Then, and only then, will the average CEO take any of this seriously.
What I don't want to see is knee-jerk legislation that erodes our privacy and rights further.
Really, just mandate by an act of congress that companies need to rely on public key cryptography within 5 years for everything and you'll see user-friendly solutions appear really friggin quick.
I remember back when I was in banking when they announced some crazy retention policies on all communication (written and voice) that wasn't technically feasible at the time congress passed the laws requiring those retention policies. Within a few years, there were a bunch of vendors with solutions for the banks to implement. Necessity is the mother of invention. Invent a necessity through an act of Congress and people will invent.
The first suggestion would be much more secure but would be difficult and very lengthy to implement, and the second would not have helped in a situation like this.
Identity Theft is a completely made up thing, that used to be called fraud. When it was called fraud it was the responsibility of the institutions to protect themselves. Instead they use the word identity theft to make it the problem of the victim. If someone goes to the bank and pretends to be me and gets a line of credit, spends a ton of money, I am left holding the bag since it destroys my credit rating. Yet, I didn't do anything at all wrong. These institutions rely on woefully inadequate measures to determine identity and when something goes wrong, the person who should pay for inadequately verifying identity is the financial institution that messed up and gave credit to the wrong person under false pretenses.
Anthem is my insurer and now I'm responsible for dealing with the fallout from every institution's completely inadequate processes for verifying identity. How is that fair?
The solution isn't hard, you'd get an account with an identity signing service that goes to great lengths to confirm your identity. Once your identity has been confirmed, you either generate your own private and public keys and upload your public key to them or they can generate both on your behalf. After that, you either host your own service to sign with your private key or you redirect signing to the identity provider if they generated a key for you.
This is not a pipe dream. It just requires mandating that companies need to require that you sign off on things cryptographically. If you have not signed off, then the losses and consequences from fraud are their responsibility, not yours.
It really seemed to make sense at the time.
I mean, I'm not a government worker or contractor. Even if I was, my password is randomly generated and not used elsewhere. If it wasn't for profit hackers, identify theft with social security numbers is perhaps less of a concern. And my password was randomly generated, so they can't get into any other accounts, so identity theft and fraud based on it is probably the biggest threat.
I really wish there was a good health insurance company (or a single payer system) I could switch to, but anthem is honestly the least bad company currently available to me.
"Chinese" = we saw an Asian IP address.
"state-sponsored hackers" = This is war!
"Sophisticated attack by Chinese state-sponsored hackers" = force majeure.
Force majeure = We don't owe you a penny.
The usual motivation for stuff like spying and data theft is the acronym MICE - Money, Ideology, Coercion, and Ego. It's unlikely to be money - we're already shipping dollars over there like crazy. It's also unlikely to be Ideology - the Central Committee are closet capitalists these days. Coercion - I don't see them trying to trade this for reducing our support for Taiwan. Ego. Ego is a possibility - but they're not teen-aged boys.