https://orcid.org/0000-0002-9097-2246
1. January 29, 2015,has gone down to record one of the greatest data breaches in the history of breaches and will be long a case study for students to learn of how it all happened.This particular breach relates to Anthem Inc,the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, that discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to its IT system and obtained personal information relating to consumers who were or are currently covered by Anthem.It is believed that this suspicious activity may have occurred over a course of several weeks beginning December, 2014.
2. Anthem disclosed that it potentially got stolen over 37.5 million records that contain personally identifiable information from its servers. According to The New York Times about 80 million company records were hacked, and there is fear that the stolen data will be used for identity theft.
3. This post brings out few key points of what ever has been discovered and revealed till now...
- The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
- Till now credit card ,banking information,financial,medical information compromise has not been validated.
- As per site...“With nearly 80 million people served by its affiliated companies including more than 37.5 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.”....shows the quantifed prone customers effected likely...and thats huge....
- Once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.
- Analysis of open source information on the cyber criminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant.
- Less than 6 months ago a similar breach effected CHS(Community Health Systems, Inc.) of 4.5 million patient records that was attributed to “highly sophisticated malware”.
- The Company and its forensic expert believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Anthem Inc Company'’s systems.
- According to the Associated Press, the attackers who targeted and exfiltrated more than 80 million customer records from Anthem Inc, were able to commandeer the credentials of at least five different employees. We know from Anthem themselves that at least one admin account was compromised, as the admin himself noticed his credentials being used to query their data warehouse.
HOW IT COULD HAVE HAPPENED?
"Looking at job postings and employee LinkedIn profiles it appears that the data warehouse in use at Anthem was TeraData. By doing some quick searches on LinkedIn I was able to find more than 100 matches for TeraData in profiles of current employees at Anthem, including, CXOs, system architects and DBAs. Discovering these employees emails is trivial and would be the first step attackers could take to identify who to target for spear-phishing campaigns.
Once they are able to compromise a few high level employee systems through a phishing campaign either through malware attachments or through a browser exploit, gaining access to a user’s database credentials would be trivial. This would be where the “sophisticated malware” that is being reported would be utilized, if the malware was designed specifically for this attack it would evade most anti-virus products.
What may be a key weakness here is that it appears there were no additional authentication mechanisms in place, only a login/password or key, with administrative level access to the entire data warehouse. Anthem’s primary security sin may not have been the lack of encryption, but instead improper access controls. Although it appears the user data was not encrypted, in Anthem’s defense if the attackers had admin level credentials encryption would have been moot anyway.
I should note that TeraData provides quite a few security controls, including encryption, as well as additional data masking features, even specifically called out for protecting Social Security Numbers and related data. So odds are the actual vulnerability here is not in the software, operating system or hardware, but how the system and access controls were configured based on business and operational requirements."
Source : http://www.tripwire.com/state-of-security/incident-detection/how-the-anthem-breach-could-have-happened/
2. Anthem disclosed that it potentially got stolen over 37.5 million records that contain personally identifiable information from its servers. According to The New York Times about 80 million company records were hacked, and there is fear that the stolen data will be used for identity theft.
3. This post brings out few key points of what ever has been discovered and revealed till now...
- The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
- Till now credit card ,banking information,financial,medical information compromise has not been validated.
- As per site...“With nearly 80 million people served by its affiliated companies including more than 37.5 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.”....shows the quantifed prone customers effected likely...and thats huge....
- Once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.
- Analysis of open source information on the cyber criminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant.
- Less than 6 months ago a similar breach effected CHS(Community Health Systems, Inc.) of 4.5 million patient records that was attributed to “highly sophisticated malware”.
- The Company and its forensic expert believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Anthem Inc Company'’s systems.
- According to the Associated Press, the attackers who targeted and exfiltrated more than 80 million customer records from Anthem Inc, were able to commandeer the credentials of at least five different employees. We know from Anthem themselves that at least one admin account was compromised, as the admin himself noticed his credentials being used to query their data warehouse.
HOW IT COULD HAVE HAPPENED?
"Looking at job postings and employee LinkedIn profiles it appears that the data warehouse in use at Anthem was TeraData. By doing some quick searches on LinkedIn I was able to find more than 100 matches for TeraData in profiles of current employees at Anthem, including, CXOs, system architects and DBAs. Discovering these employees emails is trivial and would be the first step attackers could take to identify who to target for spear-phishing campaigns.
Once they are able to compromise a few high level employee systems through a phishing campaign either through malware attachments or through a browser exploit, gaining access to a user’s database credentials would be trivial. This would be where the “sophisticated malware” that is being reported would be utilized, if the malware was designed specifically for this attack it would evade most anti-virus products.
What may be a key weakness here is that it appears there were no additional authentication mechanisms in place, only a login/password or key, with administrative level access to the entire data warehouse. Anthem’s primary security sin may not have been the lack of encryption, but instead improper access controls. Although it appears the user data was not encrypted, in Anthem’s defense if the attackers had admin level credentials encryption would have been moot anyway.
I should note that TeraData provides quite a few security controls, including encryption, as well as additional data masking features, even specifically called out for protecting Social Security Numbers and related data. So odds are the actual vulnerability here is not in the software, operating system or hardware, but how the system and access controls were configured based on business and operational requirements."
Source : http://www.tripwire.com/state-of-security/incident-detection/how-the-anthem-breach-could-have-happened/
Another set of possibilities vide The Hacker News THN Post refers at http://thehackernews.com/2015/02/anthem-data-breach.html
