Risk
2/5/2015
05:35 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

A Mere 8 Days After Breach, Anthem Healthcare Notifies Customers

Was the data encrypted in storage? Investigators aren't saying, but they hint that it wouldn't matter either way.

In a rare (perhaps unprecedented) move, a large company reported a data breach -- to authorities, the media, and the individuals whose data was stolen -- well before they were legally obligated to do so. Wednesday night, Anthem Healthcare, the nation's second-largest health insurer, began notifying its customers and the media that the personal records of as many as 80 million individuals were compromised -- a mere eight days from when Anthem first detected suspicious activity Jan. 27.

In a statement, Anthem president and CEO Joseph Swedish said, "Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape."

The initial unauthorized access has been tracked back to Dec. 10. The stolen data includes names, employment data, income data, Social Security numbers, street addresses, email addresses, and medical ID numbers. But investigators say there is no evidence to indicate that medical records (claims, test results, diagnostic codes) or credit card data were compromised.

What is clear is that the attack was extremely targeted: aimed at Anthem specifically, not just any healthcare institution. What is not clear is whether or not the stolen data was encrypted.

According to a security alert issued today by HITRUST:

Anthem has been collaborating with the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) since initial discovery of suspicious activity on its network, including sharing of various indicators of compromise (IOCs) consisting of MD5 hashes, IP addresses, and threat actor email addresses.

This crucial observable information was anonymously shared with the HITRUST C3 Community, through the automated threat exchange. It was quickly determined that the IOCs were not found by other organizations across the industry and this attack was targeted at a specific organization.

Upon further investigation and analysis it is believed to be a targeted advanced persistent threat (APT) actor.

Dave Damato, managing director of Mandiant, the organization leading the investigation  into the Anthem breach, confirms "Yes, it was targeted at a specific company." However, the same criminals could carry out similar attacks on other organizations, and just change the indicators of compromise (MD5 hash, IP addresses, domain names, etc.) to make it harder to detect. 

Damato could not share many details about the ongoing investigation, but Adam Meyer, Chief Security Strategist at SurfWatch Labs says, “Anthem discovered the attack when a database administrator noticed unauthorized queries running with admin credentials. Data exfiltration was performed through an external web storage provider 'commonly used by U.S. companies,' which suggests a service such as Google Cloud, Microsoft One Drive, or Dropbox was utilized to reduce chances of detection.”

“Upon discovery," says Meyer, "Anthem reset all passwords with privileged access across their environment and disabled accounts without two-factor authentication. Statements indicating that the company immediately made every effort to close the security vulnerability suggest that a known vulnerability was exploited in the corporate web environment or that a payload was delivered via spear phishing to employees but was easily corrected once identified as the point of entry. Data was exfiltrated to a known cloud storage provider likely utilizing authorized credentials.”   

Damato says that there is no evidence to suggest that an Anthem insider was involved in the breach, so admin credentials were probably stolen by outside attackers.

What remains unclear is whether or not the breached data was encrypted. When asked, Damato's response was itself rather cryptic. What he did say is that the issue with all encryption is that, data has to be decrypted before an authorized user can use the data. So if it could somehow be copied or exfiltrated while it is in use, unencrypted, the fact that it was encrypted while in storage might not matter.

"We are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry," says Jaime Blasco, VP and chief scientist of late-stage security startup AlienVault. "If you are wondering what it means for individuals, in a few words: it is a nightmare. If the attackers had access to names, birthdays, addresses and Social Security numbers, it means that information can be easily used to carry out identity theft schemes.

"It is yet unclear who is behind the attack," says Blasco, "but if the group behind that compromised Anthem and plans to sell that information on the black market, it means cybercriminals can buy  access to the stolen data and use that information to drain your bank account, open new credit accounts and telephone accounts or even utility accounts. They can even obtain medical care using your information."

Damato says that his team at Mandiant definitely aims to provide some attribution for the attack, so they can have a better idea of what the attackers will do with the data they've stolen. But, attribution is hard for a variety of reasons. Not only because attackers take pains to obfuscate their identities, but because sometimes an organization has been breached by multiple threat actors, making it "hard to delineate between" them.

"I think the industry as a whole is getting better at attribution," says Damato, "but there's still a lot of noise."

"One thing that's very important and very different," he adds, "is that Anthem reported it before they had to." Damato says it will be very interesting to see what effect that speed has on the investigation and public response.

The responses of customers remains to be seen -- but with the Affordable Care Act's enrollment deadline a mere 10 days away, their opinions may be known quite soon. For their parts, the FBI and the security industry have applauded Anthem for reporting the incident so quickly.

The FBI stated: "Anthem's initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances."

Damato says that the company reported it so quickly simply because they thought it was the right thing to do.

In his statement, Anthem CEO Swedish said "Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2015 | 2:16:49 PM
Re: Quick notice not surprising, considering...
Well, to be fair, it's not his fault that his health plan screwed up.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2015 | 4:55:26 AM
Re: Quick notice not surprising, considering...
@ODA155: Yes, I saw that.  What's more, there's evidence that suggests that other researchers knew about the attack a few months ago (and at least one reported on the suspicious behavior).
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
2/11/2015 | 11:04:52 AM
Re: Quick notice not surprising, considering...

"...one of the affected customers was Michael Daniel -- the President's chief cybersecurity advisor."

 

How embarrassing.   Amazing when reality ( you don't know what you doing... ) meets fantasy ( everything is under control ).  

Let's see if he keeps his job, probably that seems to be the customary track for "experts" who fall short.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
2/11/2015 | 11:00:24 AM
Re: Quick notice not surprising, considering...

@Joe   I am not particularly impressed about the early notice either.  I am sure they have been reading about Sony and all the rest.  80 mil records compromised !  

A new record.

 

Hackers seem to be well ahead of most company "experts".

ODA155
50%
50%
ODA155,
User Rank: Ninja
2/9/2015 | 1:28:22 PM
Re: Quick notice not surprising, considering...
Brian Krebs is suggesting this hack could have started as far back as April 2014!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/9/2015 | 12:02:06 PM
Re: Quick notice not surprising, considering...
@ODA155: Scary, isn't it? And we wonder why breaches occur ... In all the breaches to date, one glaring fact stands out – a gap in secure computing practices. Of course, that is a classic understatement. Take your post regarding HIPAA and PCI (I am fully aware that encryption is not mandated); they, in and of themselves, do not constitute a fully secure environment. What really gets me is that there are guidelines for these secure practices, and organizations still fail to properly implement them. Personally, I am a big proponent of implementing the SANS Critical Security Controls; properly implemented, they provide a very serious secure computing environment. Take the Anthem breach - although possession of Anthem admin credentials may have negated the security of encryption, a full implementation of Critical Security Control 17 (Data Protection) could have probably saved Anthem. This control specifies the adoption of data encryption, both in transit and at rest. Additionally, it also asks for data loss prevention protection for data in use, motion, and at rest. This control in itself could have possibly mitigated the exfiltration of Anthem data.

Many years ago, the mantra that IT needs to align itself with business goals was the big thing, and for the most part, IT organizations have followed this strategy. I believe the big thing now is that IT security needs to align itself with IT, which by extension, aligns itself with the business goals. This is the message that fails on executive ears; IT security has a communications gap that needs to be fully addressed. One of the main obstacles to achieving this goal is the line of reporting usually governing IT security. Even now, the percentage of IT security reporting to the CIO is too large for comfort. The potential for a violation of the separation of duties to forestall an undesirable result of a conflict of interest is ripe in that environment. I have seen it myself. I have heard many CIOs state that when they have control of, and responsibility for both IT and Security, they are able to make the correct judgment call that serves to benefit the organization as a whole. The fallacy of that line of thought is painfully obvious (see the Target breach), and continues to be supported by C-level executives. That is what needs to stop if IT security is to gain the proper voice and support required to align itself with the business goals of any organization, and provide an effective security environment.
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/9/2015 | 11:09:00 AM
Re: Quick notice not surprising, considering...
@GonzSTL... I was just preparing this when you posted... All... I need to correct a statement that I made last week. I was under the assumption, as I'm sure that most of us are, that HIPPA and PCI REQUIREs data encryption. I think if anyone has this same assumption as I did, you should look at what I found this weekend when I was "Googling" around.

Since I can't post links in here you'll need to search them yourself.

This question and answer comes directly from U.S. Department of Health & Human Services website.

Is the use of encryption mandatory in the Security Rule?
Answer:
No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

Next, Google this phrase... "PCI Data Storage Do's and Don'ts" ... and read the document, it's a pretty short document from the PCI Council and the very first statement says "Requirement 3 of the Payment Card Industry's Data Security Standard (PCI DSS) is to "protect stored cardholder data.""... nowhere in this document does it say that PCI data is REQUIRED to be encrypted, it is "suggested" as an option.

Now I'm sure that the QSA's and other PCI and HIPAA experts will come out here and try to qualify what these statements mean, but I have to say that after reading them it's very clear what they're saying, at least to me it is.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/9/2015 | 11:05:15 AM
Re: Quick notice not surprising, considering...
It is quite scary that Anthem chose not to encrypt their data, but even scarier is that encryption is not required under HIPAA. The most worrisome parts of this breach are that there were queries running with admin privileges, and that the attacker(s) were able to exfiltrate data. One would think that a large provider such as Anthem would have measures in place to detect and prevent this type of activity.
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/7/2015 | 2:01:33 PM
Re: Quick notice not surprising, considering...
Joe... I just heard a report that said Anthem did NOT encrypt the data...at all! I also read that in an article from WSJ. And... some experts are tying this data breach at anthem, to tax return fraud with TurboTax. Minnesota has suspended accepting any state tax returns from Turbo tax... and over at databreachtoday dot com there is an article, "Anthem Breach: Chinese Hackers Involved?" that is rather interesting.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/7/2015 | 12:28:00 AM
Quick notice not surprising, considering...
Okay, sure, they notified their customers WELL before they were legally obligated, but that's not particularly surprising considering that one of the affected customers was Michael Daniel -- the President's chief cybersecurity advisor.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.