Was Anthem Breach a Sophisticated Attack or Just Lax Security Controls?

Sue Marquette Poremba
Slide Show

Security Lessons Learned from 2014: The Year of the Mega Breaches

I was watching one of my favorite news shows late last night when the host came back from commercials with a breaking news story: Health-insurance company Anthem had been breached. The show’s host provided a couple of details of what the breach entailed; he said that it was personal information of customers and employees, their addresses, birthdates, Social Security numbers (emphasis was the host’s).

After that, I knew exactly what I was going to be waking up to this morning: an inbox filled with commentary on this latest high-profile breach and a topic right at hand for today’s blog post.

Much of that commentary applauded Anthem for its quick response to the breach, like this comment from Lee Weiner, SVP of products and engineering with Rapid7:

The FBI has commended Anthem for its quick response to this breach. Being able to detect and address a security incident quickly is a huge challenge and can make all the difference in terms of the impact and ability to pursue the culprits. Based on the limited information available, it sounds like Anthem discovered the problem pretty quickly and was able to move fast in confirming an incident and calling in support from law enforcement and information security responders.

Weiner wasn’t kidding about limited information. I haven’t seen much about the breach details beyond what information was stolen and, in some minds just as importantly, what wasn’t stolen. As a CNBC article pointed out, medical information wasn’t stolen:

If there's a silver lining, it's that medical information wasn't included in the theft. Had claims data, test results or other medical data been stolen, it could also have opened the door to bribery, said Kevin Epstein, vice president of advanced security and governance for security firm Proofpoint. Any number of salient health details, from mental health issues to addiction treatments, could have been leveraged against victims.

However, as vArmour CEO Tim Eades told me in an email, medical data probably had little interest for the hackers; the personal information with Social Security numbers holds a lot more value financially.


Anthem CEO and President Joseph R. Swedish stated that this was a very sophisticated hack. Again, because we don’t know much about the attack itself yet, we can’t say for sure how well planned it was. However, according to an eWeek article, there may have been a flaw in Anthem’s own security controls that may have had something to do with this latest breach:

“When it comes to internal systems where data is stored, stronger access controls are a must, and in this case, it looks like multi-factor authentication was not being used,” Jason Hart, vice president of cloud services, identity and data protection at Gemalto, told eWEEK. “From a security standpoint, that is surprising.”

Eventually, we’ll learn more details on this breach and we’ll see how sophisticated it was (or wasn’t). Until then, I think this particular breach’s learning moment is to take a closer look at your own authentication methods. Are you still relying on single-factor authentication or are you using harder-to-crack authentication combinations?

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.