It should come as no surprise that another major data breach is in the headlines. Anthem, the nation's second largest insurance provider, may have had as many as 80 million personal records compromised. There are several factors that make this breach notable. Primarily, it is the first major health insurance breach of its scale. The largest breach prior was the loss of over 4 million records by CHS.
However, what isn't unique about this breach is perhaps more interesting. Once again, the malefactor is the enigmatic "very sophisticated external cyber attack." The early indications are that the initial attack vector was phishing and probably some social engineering.
Statements indicating that the company immediately made every effort to close the security vulnerability suggest that a known vulnerability was exploited in the corporate web environment or that a payload was delivered via spear phishing to employees but was easily corrected once identified as the point of entry (DarkReading).
Security expert Aamir Lakhani of World Wide Technology and the respected blog site drchaos.com stated, "We are hearing this phrase 'sophisticated attack' more these days. Sony also was described as a sophisticated attack." He points out that the incident response firm Mandiant used the term sophisticated attack in the Sony breach. Mandiant has also been called in for this breach and is once again using the term.
It seems like deeming an incident a 'sophisticated attack' without providing further explanation is becoming a post-breach norm. Lakhani questions, "I wonder if this is a way to convey to the public that the company had a robust security program and they did all they could do to prevent the 'normal' attacks, but not these 'sophisticated' ones."
Even though this explanation is convenient, it doesn't change the fact that 80 million personal records may now circulating the black market. Lakhani emphases that "PII data that was stolen is more valuable than PHI (Personal Health Information) and will most likely be used in future identity thefts."
He may be right. PII can be used to open up new lines of credit under stolen identities and converted straight to cash. Medical records themselves are typically used for specific types of scams or insurance fraud. The confusion is that PHI and PII are almost identical, although PHI is typically more heavily guarded.
While it seems that the term "highly sophisticated cyber attack" does deflect blame and isn't inaccurate, there isn't an easy solution to this problem. The main reason is that socially engineered phishing emails are highly effective tactics. This topic was covered more in depth in this RiskIQ blog.
In comparison to the more standard SPAM attacks or fake software alert malware infections, this is a more sophisticated form of cyber attack and one most companies clearly aren't prepared for.
The big question becomes, how can companies prevent the loss of data? While it's unrealistic to expect a brand new, one-size-fits-all solution to appear overnight, it's equally unrealistic for major brands to continue to allocate only 10% of total IT to their security budgets.
Rather than worrying about who gets blamed for what, now is the time to understand that individuals and companies are in this together, as trust and sharing is a major part of the modern Internet. Security should have a role in planning and implementing long-term strategies to protect consumers and their data.
Security should also be given the budget to experiment with modern solutions to age-old problems, such as phishing and cross-site scripting, and to tackle new ones like malvertising. The long-term benefits will outweigh the short-term costs because customer loyalty and brand reputation are the most valuable assets to a business. Putting those at risk is a recipe for disaster.