February 05, 2015
Anthem Breached: The Hunt for PII
Written by
David Kennedy
Leadership
Anthem, the second largest medical provider in the United States reported a large-scale breach, which impacts an estimated 80 million employees and customers. It has been reported that no medical information was obtained but data such as social security numbers, addresses, salary information, and birthdates are impacted. Any breach is unfortunate, and the team over at TrustedSec wishes the best for the security folks over at Anthem which have an overwhelming task ahead of them. A breach can happen to anyone - it's how we prepare and respond before, during, and after that makes the difference.
With the Anthem breach (and such a large breach around PII) is this the new norm for 2015? We saw s trend in 2013 and 2014 around credit card breaches by (to name a few) Target, Jimmy Johns, K-Mart, Home Depot, and may others. Since these breaches (and well before), The U.S. has been under a massive push to switch over to Europay MasterCard and Visa (EMV) or the "smart card chips". If you aren't aware, the U.S. uses an extremely antiquated system for swiping credit cards - the magnetic stripe. The magstripe is a clear-text representation of account information which has been used in some of the largest breaches we've ever seen. Since the adoption of EMV across the world and the slow response to the financial system in the U.S., we saw a massive increase in credit card compromises. Since the push towards EMV, many retailers now support this and have made it significantly harder for such large scale breaches to occur.
There are still many concerns on the retail front - including EMV which is far from perfect but a general step in the right direction. Retailers are still significantly behind in security practices and EMV is still being rolled out and will continue for the next few years.
An old but new trend in medical and identity fraud?
The medical industry has been subjective to attack for a number of years - that's nothing new. Over the past several years the federal government mandates (meaningful use) to move towards electronic patient healthcare information (ePHI). We now have an issue - medical organizations have millions upon millions of records of personal information in large databases. The retail industry - while drastically behind the times on the security front, you can consider the medical field literally years behind the retail industry.
@SpaceRog (Space Rogue) on twitter pointed out that medical fraud amassed 48 billion in 2010 and credit card fraud was only 11 billion in 2012.
Direct links:
http://www.forbes.com/sites/merrillmatthews/2012/05/31/medicare-and-medicaid-fraud-is-costing-taxpayers-billions/2/http://www.cardhub.com/edu/credit-debit-card-fraud-statistics/The big problem with identity and medical fraud
Credit compromised? Okay great - re-issue the credit card and replenish funds. While a slight discomfort for individuals, it is relatively easy to detect a large breach on a credit card front from the banks that detect them. For the identity theft piece - it's extremely difficult to detect where the initial vector was, and even determine if a large compromise has occurred. Performing fraud on someones identity is costly, painful to dispute, and requires a significant investment from the individual impacted by it. Out of all the breaches that occur - identity theft is by far the most painful for an individual.
Analysis of the Anthem Breach
We have no idea what the information was used for at this point in time. What we do know is that a year of identity protection services has little to no impact on preventing fraud for an individual because its not as easy as getting a new credit card to replace an identity. These types of breaches are significantly more damages and painful for individuals. A breach can happen to anyone - however in stating that, having access to 80 million plus records and reporting that it was compromised is an alarming trend that will continue. A few questions we need to be asking as an industry is how did they get access to that information and why wasn't it properly protected (encrypted)?
Credit Cards still a focus
Credit cards are absolutely still a focus for hackers. It's easy in the carder market to sell bulk numbers for a profit and hard for attribution. Credit cards will still be a massive push and will continue to be a major front for offensive for retailers.
Moving forward and a call to action.
The medical industry has to step up its game, and it needs to do it now in regards to INFOSEC. HIPAA is not the solution towards a successful security program - its a crutch. Focus on building a security program that can detect attacks and response effectively. There are a number of industries focusing on the betterment of protecting against attacks - the medical industry is not one of them.
This blog post was written by David Kennedy - Founder of TrustedSec