Time for a new job
In the identity theft prevention business!
Hackers have invaded the servers of Anthem, a health insurer used by tens of millions of Americans, and stolen social security numbers, employment records, personal contact details and more. A veritable treasure trove for identity thieves. Anthem, the US's second biggest health insurer with about 70 million people on its books …
As they are the first people in the door when this happens.
Lets be honest tho, a small breach, or an outage of the corporate network is a slight breach and almost to be expected.
Getting completely owned by hackers and leaking everyone's information points to negligence and poor management of IT.
There have been enough wake-up calls with other big businesses getting hit, but still nothing is done and another one go's down.
I hope the lawyers go to town and drag the company over the coals for their mistakes.
Getting completely owned by hackers and leaking everyone's information points to negligence and poor management of IT.
That pretty much sums it up.
Most of these big exploits, which get blamed on EvilStateSponsoredSuperHaxorZ are actually people exploiting very sloppy IT service management and companies who, for decades, have slashed their spending on security and monitoring.
The problem is, the more publicity the Nation State Actor excuse gets, the more businesses use it to avoid any class action cases and the more they use it to demand government security protects them. This then lets them spend even less on security and the taxpayer can pick up the tab.
It is a shocking state of affairs.
"Anthem Blue Cross was the target of a very sophisticated external cyber attack"
Which translates to "we were fucking lazy and complacent with the data we were entrusted to safeguard" "We had basic passwords and allowed anyone to rifle through our database"
Whenever a huge corp is hacked, its always a "sophisticated" attack....
Bollocks....
After the Norks hacked Sony in retaliation for a film they hadn't seen, their next logicical target was a health insurance firm which was an affront to the obese leader threatened by the messages of living a fit and healthy lifestyle.
I say the US needs no more proof and should start carpet bombing civilians immediately.
like a class action lawsuit in the making...
10s of millions!! The UK population is only in the "tens of millions".
Oh this is going to be enormous fun.
Popcorn time!!!!!
*reg, we need this updated on a regular basis please... There's bound to be some of the richest excuses we have ever heard about this one!!!!!
"There's bound to be some of the richest excuses we have ever heard about this one"
You, sir, are an optimist. They've made all their excuses and apologies already. The CIO and a flunky "responsible" for IT security will eventually be hung out to dry (though the CIO might get lucky and be paid off handsomely, because that's what happens to incompetent executives).
The rest of the board will sit there like the three wise monkeys, wringing their hands. But given the now rather long history of data breaches at major corporations (as far back as 2006 for a major US healthcare body, IIRC) the whole board are accountable. The audit committee for failing to audit the financial risk of data breach, for failing to audit the systems security. The nominations committee for failing to appoint competent officers or directors. The whole board for failure to adequately question, challenge, test, and resource the IT function.
All the directors and officers (1) of Anthem should be dismissed with prejudice, every worthless, lard arsed, over-paid, irresponsible one of them.
(1) For UK readers, in the US "directors" means what we normally refer to as "non-executive directors", and "officers" means what we refer to as "executive directors". I wasn't suggesting that all of Anthem's employees were given the boot.
"But everything you need to obtain loans, credit cards, driving licenses, property and on-line payment services were compromised."
Yes, so as a sop to the affected people, they will offer 12 months "free" credit monitoring. What happens to the poor schmucks after 12 months when the stolen data is still just as valuable? What if the crims just sit on it for 12 months while the company says "well, it looks like the data may not have been stolen after all since there's no evidence of it being used" and even the majority of the affected people have forgotten about it? The stolen information is not the sort of data you can easily change.
"But everything you need to obtain loans, credit cards, driving licenses, property and on-line payment services were compromised."
So, logically, all the businesses that currently used that combination of information will have to start asking for a different combination, because that combination is now public domain and only an idiot would want to stand up in court and admit that they dished out a credit card with nothing more than public domain info to identify the holder.
This is the real cost and it is a cost to the rest of society. Not for the first time, we see security as a cost that is largely externalised. On the bright side, it *is* probably about time that companies stopped using SSNs as a key.
The NSA probably have back-door access to such databases anyway, so wouldn't need to hack them. They might even be authorised for front-door access so they can cross reference information about any people suspected of terrorism, political dissent or ingrown toenails.
"It's not working by itself, no need to repeal."
Au contraire, it's working a treat at creating even more of a European style welfare & entitlement culture, and a Democrat spending counterbalance to the Republican's military-industrial complex.
So the healthcare and insurers will lobby with hundreds of millions of dollars for their interests, the military industrial likewise, and Wall Street as ever will be corruptly hoovering up the remaining third of the economy. Curiously this leaves the US economy with three pillars of welfare, defence and corruption. You'll notice that this excludes the real economy of employing productive workers to make or grow things, but it's been tried a number of times the world over (for example the Soviet Union), and it works just dandy for the 1%, just not for the masses. Even after the collapse of the Soviet Union, the 1% of that society got richer rather than poorer.
I see a Senator is busy trying to use this to beef up snooping.
Yet it's not the Russkies or Norks or Chinese that ought to be brought to book but the company itself.
It seems to say 'never mind all your personal info was pinched, it didn'tget the card details'.
How wonderful is that? with the personal details the crooks can get as many cards as they like. But as it won't affect the company, a large fuck they could not give.
Oi, Senator Spongebrain -- it's your mates who need a good kicking, not the public!
This post has been deleted by its author
"Alternatively, until it costs more to settle than to insure against the risk, these things will keep happening."
That's assuming they're insured. It was widely reported in 2014 that major infrastructure bodies were refused insurance against cyber attack by Lloyd's of London because they were utterly uninsurable.
On a breach such as this each affected data subject should be entitled to changes of all feasible attributes: phone numbers, social security numbers or the like*, email addresses all funded - including out of pocket costs such as sending out "here's my new contact details" letters (letters because undoubtedly some companies will insist on written confirmation) all paid for by the breached company.
The costs of that should get shareholders' attention. More likely, of course, it would be covered by insurance but insurers would set premiums based on demonstrable protection of data - or lack thereof.
*Yes, I know this would require action by the appropriate authority.
banks used to have vaults and store lots of money on site, they accepted that they would get burgled from time to time and had insurance to cover it
As the insurance got more expensive they realised that the bank vault was not the best place to store the money so now if you go in to a high street bank they have far less money
When will we realise that connected computers are inevitably going to get hacked and start working out better places to store our personal data
I'm thinking all the healthcare companies are a breach waiting to happen. They've rolled off the IBM and Unix mainframes for Window and Linux clusters. Many are managed by an outsourced firm (no names, but they are big) which hires mostly outsourced developers. IT is a cost center so there's no incentive for the board to improve security by tossing the appropriate amount of budge their way. Lowest bidder, lowest cost, and oh.. security? Those are the guys who give the new hires their first password, right?
The data floats back and forth between the insurance company's servers and the outsourced firm. Massive amounts of it. I am wondering where the breach actually occurred. Once you breach one side, you can own everything.
For publishing the names of the affected companies. Scanning Associated Press, Bloomberg and other U.S. news sites, I don't see that information. Despite the site de-design, the Reg is still a go-to place.
Meanwhile, Amy Pascal has been kicked out of the chair at Sony Pix. But not because of the hacks. No, because of what she said in emails about the president and some actress. Corporate hacking will continue to be a growth industry as long as corporations refuse to take responsibility for their reckless handling of private information. Who's next?
No where else on the internet can you find such a collection of tech-savvy, tech enthusiastic, tech knowledgeable, self important male egotist blowhard commentards.
All the spouting off here, that the IT security person in charge should get fired, is a fool, doesn't know what he/she is doing, etc etc etc, is in essence saying that "I know better, it would have never occurred if..."
Bloomberg is already stating that China's government is being fingered in this attack. So everyone here is so skilled that THEIR security would not fail underneath the attack from a government, backed with multi-billion pound/euro/dollar support.
When pigs fly.
But everyone here knows better...than everyone else. How many years of "Linux is secure because we have all those eye looking at code!" did we just put with with from the El Reg commentards...only to be proven DEAD wrong and WITHOUT any form of mea culpa. For all to many El Reg participants, all others are fools who would whither under their expertize, all should bow under their greatness.
Let's see how THEIR security precautions hold up against a governmental attack - THEN they can speak their expertise. And yes, I will get downvotes, boo-hoo.
"Bloomberg is already stating that China's government is being fingered in this attack."
And, of course, you believe it unquestioningly. So what would a foreign govt. want with this? As opposed to a bunch of thieves who'd be aiming to make money out of it.
'How many years of "Linux is secure because we have all those eye looking at code!" did we just put with with from the El Reg commentards'
Do you have some inside knowledge of just what OS the systems that were hacked or are you just firing off random comments?
"And, of course, you believe it unquestioningly. So what would a foreign govt. want with this? As opposed to a bunch of thieves who'd be aiming to make money out of it."
Because you didn't bother to actually read the Bloomberg article, which gives exact and precise reasons? That being, to scrape information, by any means, of defense contractors, government employees, politicians, et al? If you can't directly attack the governmental data stores simply go to the other systems where these people dump their personal information of Social Security numbers, birthdates, locations most frequented, activity patterns, etc?
And what does the comment about the general arrogance of the commentards here - years of Linux "superiority" from people who believed the OS and, by extension, themselves as users, to be fundamentally superior - have to do with what OS was hacked in this instance?
The aforementioned is a statement about the attitude of the people here, NOT the OS - as you just proved, trying to use the OS itself as a gauge for overall knowledge.
When Linux crashed down during the past 6 months, vulnerabilities exposed that sometimes were years old yet remained unpatched, almost NO El Reg commentard said a mea culpa and admitted that their years of rabid fandom and self importance was just SHOT DOWN. Almost NO ONE.
It doesn't require a government attack. My former employer's (health insurance company) IT bods are scrambling as they have basically the same equipment/software and outsourced "services".
See my post above about "Data breach waiting to happen". The BC/BS's use a lot of the same outsourced company for software and a "cloud" of sorts were some data is local, but much with the outsourced company. Presumably, there will be more information forthcoming on this.
Hell, the Blues even outsource processing of claims where they can. There's possible breaches all over the place in that industry.
Not a great troll... but you tried.
The entire WORLD is a "data breach waiting to happen" as everyone has insisted upon settling with a fundamentally insecure protocol based on a sole decision of easy connectivity: TCP/IP. A GIANT security hole that can NEVER be plugged easily as the protocol was designed for ease of communications with no security at all.
So now security is piggybacked ad lib, to best of personal (IT personnel) ability, rather than be so intrinsic in the design that IT tech must decide to deactivate it rather than struggle to properly and adequately implement it across a diverse network. IT spends its time, energy and money plugging security holes rather than working to stabilize, expand and improve both software and hardware infrastructures for users. Instead of working on porting a legacy business app to the new system, their resources are stretched paper-thin, all too often on a shoestring budget, keeping up with patches, firewall rules, server log reports, remote user administration, IT security bulletins, security-based browser updates, etc etc etc.
But we've become so infatuated with "easy" that we now struggle to get a hold of the concept of "private", and we're failing. There IS fundamentally no such thing as a secure TCP/IP network, it can and will be breached by a dedicated enough attempt.
'No where else on the internet can you find such a collection of tech-savvy, tech enthusiastic, tech knowledgeable, self important male egotist blowhard commentards... in essence saying that "I know better, it would have never occurred if..."'
Fair comment perhaps, but it isn't really El Reg TSTETKSIMEBC vs. (in this case) Anthem IT bods, we (not to mention perhaps Anthem bods that read El Reg) are saying it wouldn't happen if we (as groups, communities, nations) took a bit of ownership and care over the technology we depend on, yet abuse every day.
We're really saying it is (all too often) down to bad practices, poor management culture, and worse- not just the odd 'bad actor'. We've been putting up with those types since we first sat around a campfire.
Who knows if it's the case, but it seems to me like a company providing health insurance wouldn't consider IT one of their "core competencies". Not to say that in-house IT would have prevented it, but I've worked in lots of places where all or part of IT was outsourced, and it throws up a huge wall of abstraction that makes it very difficult to make changes, audit stuff, etc.
It'll be interesting to see what comes out of the investigation. My guess is that their in-house security team has been reduced to rubber-stamping the outsourcer's plans, so as long as they're following ISO9000 or whatever, their insurance company will pay for the loss and nothing will change security-wise.
ISO 27001. ISO 9000 is for hotel and canteen management.
I have no idea how to apply it. Neither do the Big Taxpayer-Funded Institutions guys I sometimes meet and who are supposed to implement that at said Big Taxpayer-Funded Institutions. I suppose having the licence to ignore details when you have a folder stack of ISO docs and a cozy office must be bliss and heaven.
who want us to carry tracking devices and pedometers 24/7 to give us a "tailored" health insurance plan? And also to hook up our cars to their driving habit surveillance system, again to give us a "tailored" car insurance? The ones drooling about IOT and how to use it for best exploiting helping their customers?
Good idea to give them even more data. They seem to handle it well.
After you read the article you might wonder why this matters. I’m actually disappointed that the writer didn’t spell it out. If your CC is stolen you get a bill with unauthorized charges and you call the CC company and the card is deactivated (refunds and whatever don’t matter for this discussion). If you medical insurance information is stolen two things can occur. First someone could pose as you for procedures. That in itself isn’t any worse than your CC being stolen. You will receive a bill and call about it. Odds are you will get new account numbers and they will stop the bleeding. But if the bad guys setup fake practices and start billing for services never rendered. They collect from the insurance companies and never bill the individual. Most people don’t follow up on their medical claims unless they get a bill. They could milk the system for years. I’ve told this to others before and most people don’t like their insurance companies so they really don’t see this as bad. I guess they may later when they see how their rates went up to offset the rise in claims.
I am one of the lucky ones who was a client of theirs for years. My concern is that in 2, 3, 5 years from now someone will use my details for to get credit and screw up my credit rating. I will be at a different address by then so I won't see the bills coming in for my 'new' credit cards. I probably won't know anything about it until I get a credit application rejected. I am not a happy bunny.
"Curiously this leaves the US economy with three pillars of welfare, defence and corruption."
I always thought that the "defence" industry (which is a misnomer and should properly be called the warmonger industry) was the US equivalent of the European welfare system except the latter is more equitable.