29 August 2018

Anthem is Paying Up for Their Data Breach

Synack


Anthem is paying up. This month the company got slammed with a $115 million settlement over their 2015 data breach. Since disclosure of a breach that resulted in 79 million records stolen from their system, a class-action lawsuit had been making its way through California federal courts. The case is closed (finally), but alas this nightmare doesn’t stop here for Anthem.

How Did We Get Here?

Roll the tape back to February 2014. An email was opened by an employee of an Anthem subsidiary company, and the repercussions of that action are still playing themselves out. That email turned out to be a phishing email, sent with malicious intent to compromise Anthem’s digital systems. As that one employee naively opened that fateful phishing email, he/she granted the attacker initial remote access, and from there it was game over. “The attacker was able to move laterally across Anthem systems and escalate privileges, gaining increasingly greater ability to access information and make changes in Anthem’s environment,” stated the Multistate Targeted Market Conduct and Financial Examination investigative report conducted on Anthem. Eventually, the attacker made his/her way through at least 50 accounts and 90 systems within Anthem’s environment, landing at the jackpot: Anthem’s data warehouse. 78.8 million user records were exfiltrated.

Phishing isn’t just Anthem’s problem, or a 2014 problem either. It was also a tactic that the DNC came up against last week. On Wednesday, the DNC alerted the FBI to the hack attempt on its voter database. The next day, their CISO announced that it was actually a test, and non-malicious, but it was still conducted by an unknown and unauthorized third party. “The test, which mimicked several attributes of actual attacks on the Democratic party’s voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors,” DNC Chief Security Officer Bob Lord said. The details are still a little fuzzy, but according to WIRED, the Michigan Democratic Party reportedly authorized a firm called DigiDems to conduct the test without the DNC’s knowledge.

Our CEO and co-founder Jay Kaplan was asked what he thought about the matter. As a “hacker-minded” person himself, with past work experience at the NSA, his insight is invaluable. “Phishing takes advantage of the lowest common denominator in cybersecurity today – people,” said Kaplan. “You can have the most robust security in the world, with bank-level encryption to protect sensitive data, but if someone with privileged access to that database is compromised, it effectively allows an attack to walk right through the front door.”

What’s All This Costing?

$2.5 million to engage expert consultants
+
$115 million for the implementation of security improvements
+
$31 million to provide initial notification to the public and affected individuals
+
$112 million to provide credit protection to breach-impacted consumers
+
A recent $115 million settlement

=
And that gets us to $375.5 million

Let’s look at a hypothetical. What if Anthem were operating in the EU and insuring European citizens? They’d have to face the penalties imposed by GDPR which states that “the company could be fined up to €20M or 4% of global annual turnover, whichever is greater, for a large-scale breach.”

Anthem’s global annual turnover in 2015 was $79.2 billion.
Their GDPR fine would come out to be $3.2 billion.
Turns out they got off pretty easy despite having been punished with one of the largest settlements in a consumer data breach case.

Total Potential Cost: $3.6 billion

Moving Forward

As part of the settlement, Anthem is also required to update its data security systems and policies and significantly bolster its cybersecurity budget. The big question is, how are they going to do it?

A couple of general tips around security hygiene for CISOs:

  1. Think like a hacker – your digital presence is an attack surface
  2. Utilize tools like anti-phishing toolbars and firewalls
  3. Educate your employees to think before they click and to always verify a site’s and/or an email’s security
  4. Enforce that browsers and software be kept up-to-date

Of course, Anthem should also test their systems regularly, because humans are the weakest link, and mistakes are going to happen. It’s likely that some of the new measures will require external validation, not just Anthem’s own assertions that they are secure.

Crowdsourced testing solutions utilize trusted, ethical hackers who use the same methods that criminal hackers do in order to help organizations secure their networks before criminals can get to them. If or when Anthem decided to utilize an incentivized human crowdsourced approach to testing, they would get a better sense of how resistant their systems (and their data) were to attack. They could also prioritize critical assets that hold sensitive customer data and where to focus their resources. Utilizing crowdsourced penetration testing to find and fix vulnerabilities will help organizations protect their customers’ personal data and avoid the costs and the years’ worth of legal cases after a breach.

Sources:

Judge approves Anthem’s $115M data breach settlement | Becker’s Hospital Review

A New In-Depth Analysis of Anthem Breach | Bank Info Security

Report of the Multistate Targeted Market Conduct and Financial Examination of Anthem Insurance Companies, Inc. and its Affiliates | California Department of Insurance

Judge Gives Final OK to $115M Anthem Data Breach Settlement | Health IT Security