Anthem: How does a breach like this happen?

It's not as difficult as you'd think

Current Job Listings

Remove all the hype, all the sensationalism, and Anthem's security dilemma is no different from one that any other large organization would face. Was this attack truly sophisticated, or could anyone have pulled it off?

On December 10, 2014, someone compromised a database owned by Anthem Inc., the nation's second largest health insurer.

The compromise wasn't discovered until January 27, 2015, after a database administrator discovered his credentials being used to run a questionable query – a query he didn't initiate. Two days later (January 29), Anthem alerted federal authorities and HITRIUST C3 that their internal investigation determined the incident was in fact a data breach. On February 4, 2015, the company disclosed the breach to the public.

"Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members," Anthem President and CEO, Joseph R. Swedish, said in a statement.

Those responsible for the attack were able to obtain "personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," the statement added.

The scope of the breach isn't fully understood, but there's a good chance that a majority of the 80 million records contained in the compromised database were exposed. According to company metrics, one in nine Americans have medical coverage through one of Anthem's affiliated plans.

Anthem, based on data posted to LinkedIn and job listings, uses TeraData for data warehousing, which is a robust platform that's able to work with a number of enterprise applications.

This technical detail also provides an idea on the level of security Anthem had available, as TeraData has a number of solid security controls available to customers, such as user-level security controls, role-based support, directory integration, traffic encryption, in addition to auditing and monitoring.

In the aftermath of the breach at Anthem, experts have speculated on whether the data in the database was encrypted at the time the attackers compromised it.

The problem is, while HIPAA requires that identifying information be encrypted, that protection goes by the wayside once an attacker compromises an administrator's credentials. So even if the data was encrypted, it didn't matter once the attacker(s) had total control over the database.

As for the attack itself, was it truly sophisticated or will the investigation reveal an attack that's similar to the ones that target organizations the world over day-after-day?

1 2 3 Page 1
Page 1 of 3
SUBSCRIBE! Get the best of CSO delivered to your email inbox.