back to article Anthem, America's second biggest health insurer, HACKED: Millions hit by breach

Hackers have invaded the servers of Anthem, a health insurer used by tens of millions of Americans, and stolen social security numbers, employment records, personal contact details and more. A veritable treasure trove for identity thieves. Anthem, the US's second biggest health insurer with about 70 million people on its books …

  1. getHandle

    Time for a new job

    In the identity theft prevention business!

    1. Anonymous Coward
      Anonymous Coward

      or security consultant

      As they are the first people in the door when this happens.

      Lets be honest tho, a small breach, or an outage of the corporate network is a slight breach and almost to be expected.

      Getting completely owned by hackers and leaking everyone's information points to negligence and poor management of IT.

      There have been enough wake-up calls with other big businesses getting hit, but still nothing is done and another one go's down.

      I hope the lawyers go to town and drag the company over the coals for their mistakes.

      1. Anonymous Coward
        Anonymous Coward

        Re: or security consultant

        Getting completely owned by hackers and leaking everyone's information points to negligence and poor management of IT.

        That pretty much sums it up.

        Most of these big exploits, which get blamed on EvilStateSponsoredSuperHaxorZ are actually people exploiting very sloppy IT service management and companies who, for decades, have slashed their spending on security and monitoring.

        The problem is, the more publicity the Nation State Actor excuse gets, the more businesses use it to avoid any class action cases and the more they use it to demand government security protects them. This then lets them spend even less on security and the taxpayer can pick up the tab.

        It is a shocking state of affairs.

  2. Anonymous Coward
    Anonymous Coward

    This:

    "Anthem Blue Cross was the target of a very sophisticated external cyber attack"

    Which translates to "we were fucking lazy and complacent with the data we were entrusted to safeguard" "We had basic passwords and allowed anyone to rifle through our database"

    Whenever a huge corp is hacked, its always a "sophisticated" attack....

    Bollocks....

    1. diodesign (Written by Reg staff) Silver badge

      Re: cornz 1

      "a very sophisticated external cyber attack"

      It's usually code for: "Please don't sue, there's nothing we could have done about it - it was really sophisticated. Nation state. Beyond reasonable means to prevent. All the words that make a class-action difficult."

      C.

      1. Trevor_Pott Gold badge

        Re: cornz 1

        Facebook is more valuable than Portugal, isn't it? So I fully expect American megacorporations to have the resources of a nation state and be able to defend themselves. When you're as big as Anthem, you don't get excuses.

        1. Anonymous Coward
          Anonymous Coward

          When you're as big as Anthem, you don't get excuses.

          Nor security audited it would appear....

  3. Anonymous Coward
    Anonymous Coward

    Quite right - Blame North Korea

    After the Norks hacked Sony in retaliation for a film they hadn't seen, their next logicical target was a health insurance firm which was an affront to the obese leader threatened by the messages of living a fit and healthy lifestyle.

    I say the US needs no more proof and should start carpet bombing civilians immediately.

  4. frank ly Silver badge

    "I want to personally apologize to each of you for what has happened,..."

    So, he'll be doing lots of driving and footwork for a while. Or will each of you be invited to his home/office to receive a personal apology?

    1. Michael Hawkes
      Facepalm

      Re: "I want to personally apologize to each of you for what has happened,..."

      Well, I live in Indy, so I guess I'd probably have to go to their office to get the "personal apology".

  5. Anonymous Coward
    Anonymous Coward

    This smells

    like a class action lawsuit in the making...

    10s of millions!! The UK population is only in the "tens of millions".

    Oh this is going to be enormous fun.

    Popcorn time!!!!!

    *reg, we need this updated on a regular basis please... There's bound to be some of the richest excuses we have ever heard about this one!!!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: This smells

      "There's bound to be some of the richest excuses we have ever heard about this one"

      You, sir, are an optimist. They've made all their excuses and apologies already. The CIO and a flunky "responsible" for IT security will eventually be hung out to dry (though the CIO might get lucky and be paid off handsomely, because that's what happens to incompetent executives).

      The rest of the board will sit there like the three wise monkeys, wringing their hands. But given the now rather long history of data breaches at major corporations (as far back as 2006 for a major US healthcare body, IIRC) the whole board are accountable. The audit committee for failing to audit the financial risk of data breach, for failing to audit the systems security. The nominations committee for failing to appoint competent officers or directors. The whole board for failure to adequately question, challenge, test, and resource the IT function.

      All the directors and officers (1) of Anthem should be dismissed with prejudice, every worthless, lard arsed, over-paid, irresponsible one of them.

      (1) For UK readers, in the US "directors" means what we normally refer to as "non-executive directors", and "officers" means what we refer to as "executive directors". I wasn't suggesting that all of Anthem's employees were given the boot.

  6. Anonymous Coward
    FAIL

    Love it...

    !Based on what we know now, there is no evidence that credit card ....were targeted or compromised.!

    But everything you need to obtain loans, credit cards, driving licenses, property and on-line payment services were compromised.

    1. John Brown (no body) Silver badge

      Re: Love it...

      "But everything you need to obtain loans, credit cards, driving licenses, property and on-line payment services were compromised."

      Yes, so as a sop to the affected people, they will offer 12 months "free" credit monitoring. What happens to the poor schmucks after 12 months when the stolen data is still just as valuable? What if the crims just sit on it for 12 months while the company says "well, it looks like the data may not have been stolen after all since there's no evidence of it being used" and even the majority of the affected people have forgotten about it? The stolen information is not the sort of data you can easily change.

      1. Trainee grumpy old ****
        Meh

        Re: Love it...

        >> What happens to the poor schmucks after 12 months...

        Well, by then some other mega-corp will have been "hacked" and will be paying for 12 months of identity theft monitoring. Rinse and repeat.

    2. Ken Hagan Gold badge

      Re: Love it...

      "But everything you need to obtain loans, credit cards, driving licenses, property and on-line payment services were compromised."

      So, logically, all the businesses that currently used that combination of information will have to start asking for a different combination, because that combination is now public domain and only an idiot would want to stand up in court and admit that they dished out a credit card with nothing more than public domain info to identify the holder.

      This is the real cost and it is a cost to the rest of society. Not for the first time, we see security as a cost that is largely externalised. On the bright side, it *is* probably about time that companies stopped using SSNs as a key.

  7. Anonymous Coward
    Anonymous Coward

    The tinfoil hatter in me

    wonders if the NSA et-al had anything to do with this.

    The amount of data gleaned from this is priceless!!!!

    *probably not but hey, stranger things have happened....

    1. Andy Non
      Big Brother

      Re: The tinfoil hatter in me

      The NSA probably have back-door access to such databases anyway, so wouldn't need to hack them. They might even be authorised for front-door access so they can cross reference information about any people suspected of terrorism, political dissent or ingrown toenails.

  8. Mr.Mischief

    Obamacare in the sights?

    I wonder if the Republicans are going to use this as an excuse to repeal Obamacare.... again..

    *grabs popcorn*

    1. Destroy All Monsters Silver badge

      Re: Obamacare in the sights?

      It's not working by itself, no need to repeal.

      1. Anonymous Coward
        Anonymous Coward

        Re: Obamacare in the sights?

        "It's not working by itself, no need to repeal."

        Au contraire, it's working a treat at creating even more of a European style welfare & entitlement culture, and a Democrat spending counterbalance to the Republican's military-industrial complex.

        So the healthcare and insurers will lobby with hundreds of millions of dollars for their interests, the military industrial likewise, and Wall Street as ever will be corruptly hoovering up the remaining third of the economy. Curiously this leaves the US economy with three pillars of welfare, defence and corruption. You'll notice that this excludes the real economy of employing productive workers to make or grow things, but it's been tried a number of times the world over (for example the Soviet Union), and it works just dandy for the 1%, just not for the masses. Even after the collapse of the Soviet Union, the 1% of that society got richer rather than poorer.

  9. Elmer Phud Silver badge

    Blame Game

    I see a Senator is busy trying to use this to beef up snooping.

    Yet it's not the Russkies or Norks or Chinese that ought to be brought to book but the company itself.

    It seems to say 'never mind all your personal info was pinched, it didn'tget the card details'.

    How wonderful is that? with the personal details the crooks can get as many cards as they like. But as it won't affect the company, a large fuck they could not give.

    Oi, Senator Spongebrain -- it's your mates who need a good kicking, not the public!

  10. This post has been deleted by its author

    1. John G Imrie Silver badge

      Re: Wonderful...

      Until it cost's more to settle the class action suits than fix IT security these things will keep happening.

      1. Ken Hagan Gold badge

        Re: Wonderful...

        Alternatively, until it costs more to settle than to insure against the risk, these things will keep happening.

        Of course, no-one would take your premium unless you had an externally audited IT security policy, and what are the chances of that happening, eh?

        1. Anonymous Coward
          Anonymous Coward

          Re: Wonderful...

          "Alternatively, until it costs more to settle than to insure against the risk, these things will keep happening."

          That's assuming they're insured. It was widely reported in 2014 that major infrastructure bodies were refused insurance against cyber attack by Lloyd's of London because they were utterly uninsurable.

  11. Doctor Syntax Silver badge

    Remediation

    On a breach such as this each affected data subject should be entitled to changes of all feasible attributes: phone numbers, social security numbers or the like*, email addresses all funded - including out of pocket costs such as sending out "here's my new contact details" letters (letters because undoubtedly some companies will insist on written confirmation) all paid for by the breached company.

    The costs of that should get shareholders' attention. More likely, of course, it would be covered by insurance but insurers would set premiums based on demonstrable protection of data - or lack thereof.

    *Yes, I know this would require action by the appropriate authority.

  12. adnim Silver badge
    Devil

    I look forward to Experian

    being rooted.

  13. The Vociferous Time Waster

    As reliable as a bank vault

    banks used to have vaults and store lots of money on site, they accepted that they would get burgled from time to time and had insurance to cover it

    As the insurance got more expensive they realised that the bank vault was not the best place to store the money so now if you go in to a high street bank they have far less money

    When will we realise that connected computers are inevitably going to get hacked and start working out better places to store our personal data

  14. Anonymous Coward
    Angel

    We hardly know anything, but health data?! Never ever!

    We don't know what, don't know when, don't know what for, don't know how, do hardly know anything.

    But until you don't bring evidence of the contrary, we know for absolutely sure that health data wasn't compromised.

  15. Mark 85 Silver badge

    Data breach waiting to happen

    I'm thinking all the healthcare companies are a breach waiting to happen. They've rolled off the IBM and Unix mainframes for Window and Linux clusters. Many are managed by an outsourced firm (no names, but they are big) which hires mostly outsourced developers. IT is a cost center so there's no incentive for the board to improve security by tossing the appropriate amount of budge their way. Lowest bidder, lowest cost, and oh.. security? Those are the guys who give the new hires their first password, right?

    The data floats back and forth between the insurance company's servers and the outsourced firm. Massive amounts of it. I am wondering where the breach actually occurred. Once you breach one side, you can own everything.

  16. stringyfloppy

    We join you in wondering why the f*ck we weren't more vigilant."

  17. Florida1920 Silver badge
    Pint

    Kudos to El Reg

    For publishing the names of the affected companies. Scanning Associated Press, Bloomberg and other U.S. news sites, I don't see that information. Despite the site de-design, the Reg is still a go-to place.

    Meanwhile, Amy Pascal has been kicked out of the chair at Sony Pix. But not because of the hacks. No, because of what she said in emails about the president and some actress. Corporate hacking will continue to be a growth industry as long as corporations refuse to take responsibility for their reckless handling of private information. Who's next?

  18. Anonymous Coward
    Anonymous Coward

    I love El Reg!

    No where else on the internet can you find such a collection of tech-savvy, tech enthusiastic, tech knowledgeable, self important male egotist blowhard commentards.

    All the spouting off here, that the IT security person in charge should get fired, is a fool, doesn't know what he/she is doing, etc etc etc, is in essence saying that "I know better, it would have never occurred if..."

    Bloomberg is already stating that China's government is being fingered in this attack. So everyone here is so skilled that THEIR security would not fail underneath the attack from a government, backed with multi-billion pound/euro/dollar support.

    When pigs fly.

    But everyone here knows better...than everyone else. How many years of "Linux is secure because we have all those eye looking at code!" did we just put with with from the El Reg commentards...only to be proven DEAD wrong and WITHOUT any form of mea culpa. For all to many El Reg participants, all others are fools who would whither under their expertize, all should bow under their greatness.

    Let's see how THEIR security precautions hold up against a governmental attack - THEN they can speak their expertise. And yes, I will get downvotes, boo-hoo.

    1. Doctor Syntax Silver badge

      Re: I love El Reg!

      "Bloomberg is already stating that China's government is being fingered in this attack."

      And, of course, you believe it unquestioningly. So what would a foreign govt. want with this? As opposed to a bunch of thieves who'd be aiming to make money out of it.

      'How many years of "Linux is secure because we have all those eye looking at code!" did we just put with with from the El Reg commentards'

      Do you have some inside knowledge of just what OS the systems that were hacked or are you just firing off random comments?

      1. Anonymous Coward
        Anonymous Coward

        Re: I love El Reg!

        "And, of course, you believe it unquestioningly. So what would a foreign govt. want with this? As opposed to a bunch of thieves who'd be aiming to make money out of it."

        Because you didn't bother to actually read the Bloomberg article, which gives exact and precise reasons? That being, to scrape information, by any means, of defense contractors, government employees, politicians, et al? If you can't directly attack the governmental data stores simply go to the other systems where these people dump their personal information of Social Security numbers, birthdates, locations most frequented, activity patterns, etc?

        And what does the comment about the general arrogance of the commentards here - years of Linux "superiority" from people who believed the OS and, by extension, themselves as users, to be fundamentally superior - have to do with what OS was hacked in this instance?

        The aforementioned is a statement about the attitude of the people here, NOT the OS - as you just proved, trying to use the OS itself as a gauge for overall knowledge.

        When Linux crashed down during the past 6 months, vulnerabilities exposed that sometimes were years old yet remained unpatched, almost NO El Reg commentard said a mea culpa and admitted that their years of rabid fandom and self importance was just SHOT DOWN. Almost NO ONE.

    2. Destroy All Monsters Silver badge

      Re: I love El Reg!

      self important male egotist blowhard commentards

      Troll Lady, please!

    3. Mark 85 Silver badge

      Re: I love El Reg!

      It doesn't require a government attack. My former employer's (health insurance company) IT bods are scrambling as they have basically the same equipment/software and outsourced "services".

      See my post above about "Data breach waiting to happen". The BC/BS's use a lot of the same outsourced company for software and a "cloud" of sorts were some data is local, but much with the outsourced company. Presumably, there will be more information forthcoming on this.

      Hell, the Blues even outsource processing of claims where they can. There's possible breaches all over the place in that industry.

      Not a great troll... but you tried.

      1. Anonymous Coward
        Anonymous Coward

        Re: data breaches

        The entire WORLD is a "data breach waiting to happen" as everyone has insisted upon settling with a fundamentally insecure protocol based on a sole decision of easy connectivity: TCP/IP. A GIANT security hole that can NEVER be plugged easily as the protocol was designed for ease of communications with no security at all.

        So now security is piggybacked ad lib, to best of personal (IT personnel) ability, rather than be so intrinsic in the design that IT tech must decide to deactivate it rather than struggle to properly and adequately implement it across a diverse network. IT spends its time, energy and money plugging security holes rather than working to stabilize, expand and improve both software and hardware infrastructures for users. Instead of working on porting a legacy business app to the new system, their resources are stretched paper-thin, all too often on a shoestring budget, keeping up with patches, firewall rules, server log reports, remote user administration, IT security bulletins, security-based browser updates, etc etc etc.

        But we've become so infatuated with "easy" that we now struggle to get a hold of the concept of "private", and we're failing. There IS fundamentally no such thing as a secure TCP/IP network, it can and will be breached by a dedicated enough attempt.

    4. Pu02

      Re: I love El Reg!

      'No where else on the internet can you find such a collection of tech-savvy, tech enthusiastic, tech knowledgeable, self important male egotist blowhard commentards... in essence saying that "I know better, it would have never occurred if..."'

      Fair comment perhaps, but it isn't really El Reg TSTETKSIMEBC vs. (in this case) Anthem IT bods, we (not to mention perhaps Anthem bods that read El Reg) are saying it wouldn't happen if we (as groups, communities, nations) took a bit of ownership and care over the technology we depend on, yet abuse every day.

      We're really saying it is (all too often) down to bad practices, poor management culture, and worse- not just the odd 'bad actor'. We've been putting up with those types since we first sat around a campfire.

  19. Erik4872

    Outsourcing strikes again maybe?

    Who knows if it's the case, but it seems to me like a company providing health insurance wouldn't consider IT one of their "core competencies". Not to say that in-house IT would have prevented it, but I've worked in lots of places where all or part of IT was outsourced, and it throws up a huge wall of abstraction that makes it very difficult to make changes, audit stuff, etc.

    It'll be interesting to see what comes out of the investigation. My guess is that their in-house security team has been reduced to rubber-stamping the outsourcer's plans, so as long as they're following ISO9000 or whatever, their insurance company will pay for the loss and nothing will change security-wise.

    1. Destroy All Monsters Silver badge
      Windows

      Re: Outsourcing strikes again maybe?

      ISO 27001. ISO 9000 is for hotel and canteen management.

      I have no idea how to apply it. Neither do the Big Taxpayer-Funded Institutions guys I sometimes meet and who are supposed to implement that at said Big Taxpayer-Funded Institutions. I suppose having the licence to ignore details when you have a folder stack of ISO docs and a cozy office must be bliss and heaven.

  20. Chairo
    Devil

    Insurances - aren't those the guys

    who want us to carry tracking devices and pedometers 24/7 to give us a "tailored" health insurance plan? And also to hook up our cars to their driving habit surveillance system, again to give us a "tailored" car insurance? The ones drooling about IOT and how to use it for best exploiting helping their customers?

    Good idea to give them even more data. They seem to handle it well.

  21. Hmmmmm....

    Missing the big picture

    After you read the article you might wonder why this matters. I’m actually disappointed that the writer didn’t spell it out. If your CC is stolen you get a bill with unauthorized charges and you call the CC company and the card is deactivated (refunds and whatever don’t matter for this discussion). If you medical insurance information is stolen two things can occur. First someone could pose as you for procedures. That in itself isn’t any worse than your CC being stolen. You will receive a bill and call about it. Odds are you will get new account numbers and they will stop the bleeding. But if the bad guys setup fake practices and start billing for services never rendered. They collect from the insurance companies and never bill the individual. Most people don’t follow up on their medical claims unless they get a bill. They could milk the system for years. I’ve told this to others before and most people don’t like their insurance companies so they really don’t see this as bad. I guess they may later when they see how their rates went up to offset the rise in claims.

  22. VeryOldFart

    I am one of the lucky ones who was a client of theirs for years. My concern is that in 2, 3, 5 years from now someone will use my details for to get credit and screw up my credit rating. I will be at a different address by then so I won't see the bills coming in for my 'new' credit cards. I probably won't know anything about it until I get a credit application rejected. I am not a happy bunny.

  23. crayon

    "Curiously this leaves the US economy with three pillars of welfare, defence and corruption."

    I always thought that the "defence" industry (which is a misnomer and should properly be called the warmonger industry) was the US equivalent of the European welfare system except the latter is more equitable.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019