Documents obtained by Salted Hash have confirmed a few of the rumors circulating among the public in the aftermath of the Anthem breach, including the date the incident started.
According to a memo from Anthem to its clients, the earliest signs of questionable database activity date back to December 10, 2014.
The memo singles this date out as the day abnormal query activity on the breached database was first initiated. The query activity continued sporadically until January 27, 2015.
Thus, the attackers had access to the database for more than a month before they were discovered.
From the memo:
"On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate's logon information. He had not initiated the query and immediately stopped the query and alerted Anthem's Information Security department. It was also discovered the logon information for additional database administrators had been compromised."
Two days later, on January 29, Anthem determined that they were the victim of an attack and notified federal law enforcement. In addition, they shared the indicators of compromise with HITRUST C3 (Cyber Threat Intelligence and Incident Coordination Center).
The memo goes on to state that the incident is being considered an APT related event, given the "highly sophisticated" nature of the attack.
"The attacker had proficient understanding of the data platforms and successfully utilized valid database administrator logon information," the memo explained.
In addition to working with the FBI and hiring Mandiant to help their internal incident response team investigate, Anthem says they've "changed passwords and secured the compromised database warehouse."
Original article below:
Anthem, the nation's second largest health insurance provider, confirmed that outsiders were able to compromise an unknown number of records, including complete profiles for individuals.
The investigation is ongoing, but full scope of the incident could impact millions people, based on the Anthem's count. According to the company, one in nine Americans have medical coverage through one of their affiliated plans.
In a statement, Anthem President and CEO, Joseph R. Swedish, said that the attackers were able to access the company's systems and obtain "personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data."
At this point, they have no evidence that credit card or medical information, which would include claims, test results, and diagnostic codes, were targeted or compromised.
Customers were not the only ones to have data exposed; employees also had their PII accessed according to Swedish's statement.
The breach impacted all Anthem product lines, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
Mandiant has been retained in order to help with incident response, and the FBI is currently investigating.
Customers whose information was compromised will be contacted directly about the incident and offered free credit monitoring and identity protection services.
In 2010, before the name was changed to Anthem, WellPoint had to deal with another data breach, which impacted 612,402 customers, after a failed security update to one of their systems.