A lesson in how to react to a data breach

The latest victim to succumb to the ongoing spate of catastrophic data breaches is America’s second largest healthcare provider, Anthem, which was hit hard and liberated of more than 80 million personal health records. 

The records stolen include residential addresses, birth dates, medical identification numbers, social security numbers, email addresses and income data.  

Anthem is governed by HIPAA and HITECH, two fairly rigorous US healthcare industry compliance bodies, but as we all know, compliance frameworks cannot and will not stop a targeted attack.

They can help reduce the likelihood of a drive-by attacker or script kiddie being successful, and will also undoubtedly reduce the risk of being fined by your local privacy commissioner.

However, as soon as a well-funded and capable hacking group has you in its sights, all bets are off.

In the case of Anthem, my impression is that it did a pretty good job in managing this incident.

Once a breach had been identified, its technical staff seemed to react quickly to patch the vulnerability and stop the data leak. The intruder had almost a month of unfettered access to databases before being discovered, so anything could have happened.

It also seems that the discovery of the hack was more by luck than anything else - it was a contract database administrator that stumbled on the intruder running unauthorised queries on the database backend server. 

As soon as Anthem’s security guys understood what they were dealing with, they called in the cavalry (Mandiant and the FBI), and began notifying customers with awareness material to prepare them for the inevitable phishing attacks and identity scams.

Anthem’s homepage also sports a notification to customers about the breach, and links to an apology from the CEO.

This kind of proactive and communicative response ensures the company can focus solely on securing its systems rather than having to spend time repairing reputational damage as well.

To see how damaging a bungled response can be, look no further than Catch of the Day, which took three years to inform its customers of a similar data breach and suffered significant brand damage as a result.

Who was behind the attack?

The immediate consideration is the value this kind of data holds on the black market: records fetch anything from $10 to $1300 depending on the perceived value of the data. High profile business execs and celebrities can fetch even higher prices.

It’s a profitable business when you have over 80 million units of your product to sell, so identifying the culprit inevitably starts with a line-up of organised crime mobs in the US, Russia, Brazil or Europe.

However, according to a report by Bloomberg, the breach might be tied to China and could well be state sponsored. 

Some reports suggest this might simply be part of a broader espionage effort against selected individuals, defense contractors and government officials.

The small number of records the attackers really want, those pearls among the oyster shells, are details on US Senators, executives in defense contracting companies, scientists working on defense research, etc. That data gives the miscreants all the details required to launch other kinds of espionage attacks targeted at these high-yield, valuable targets.

China has always been very good at playing the espionage game. If indeed it emerges that China has links to the group that customised this extremely sophisticated and targeted attack, it could take years to discover the true motivation behind it.