The Anthem breach reported late last week provides a number of insights:
- While Anthem’s transmissions were encrypted, their stored data was not. It is worth examining whether the efficiencies gleaned from non-encrypted storage are outweighed by the costs of breach recovery, notification and damage to reputation.
- The majority of plans run by insurers such as Anthem are likely employer-sponsored. On the one hand, one might counsel an employer that this is a matter between the insurer and the insured (and not between company and insurer or company and insured). On the other, employees do not necessarily allocate responsibility so precisely. Clearly, the security measures used by vendors should be of concern to employers. In addition, employers should include third-party breaches in their response planning.
- The attack vector was likely through an employee’s stolen password. Based on some reporting, it may be that the employee was the victim of a social engineering (typically, using deception to cause someone to divulge confidential information like passwords). Once again, we see the importance of strong policies and training in the overall security scheme.
- The attack demonstrates threat transference, something that will occur more and more. Threat transference is a situation where, once thwarted by enhanced security measures, criminals will move on to more vulnerable targets even if those targets are lower value. As security improves in the banking and retail sectors, criminals will move to “easier” targets. Because the Anthem data contains a wealth of information that can be used in identity theft, it remains very valuable despite the fact that it doesn’t contain direct financial account information. As the threat is rapidly transferred, there is little doubt that employer data — which contains information as sensitive as that held by Anthem — will become a specific target.
- The Anthem attack demonstrates the difficulty inherent in breach detection and response. Some reporting indicates that the discovery of the breach may have been a lucky break and that day into the event, the scope of the stolen data is likely still not known. Indeed, most cyber-attacks last somewhere between three and six months before discovery. One way of discovering an attack is often finding some of the stolen data for sale online. Cybersecurity planning should include these realities.
- In light of massive breaches of employee data that have and will occur, I am wondering if mitigation efforts should beginin anticipation of a breach. Along with cyber-risk insurance, perhaps credit monitoring and negotiating with unions about these issues may be worth putting in place ahead of time.