As noted in our previous newsletter, no sooner had we posted on our blog last week about the ease with which ID theft can be perpetrated, than news broke of another massive data breach, this one affecting upwards of 80 million or so Anthem Blue Cross customers.
As PBS reports, “Initial investigation indicates that the member data accessed included names, dates of birth, member ID/ social security numbers, addresses, phone numbers, email addresses and employment information,” according to Anthem, and further the company says “it does not believe customer medical diagnosis or treatment information was exposed to the hackers, and that credit-card information was not accessed either.”
Still, according to the article, “as bad as the hack was, it is only the tip of a very deep iceberg for Anthem’s Medicare and other customers. The episode has, for example, sparked an echoing wave of other online fraud efforts, as people send out ‘phishing’ emails trying to convince Anthem customers to mistakenly turn over personal information.” To combat the problem, Anthem says it will be embracing the unhackable retro comforts of surface mail, no less, to send customers truly critical pieces of information, so be wary of any email from them insisting you divulge more information.
The article notes that more such breaches are doubtless on the way. But why? And how? According to MIT — who we seem to be citing a lot lately — the ability to hack a system like Anthem’s was distressingly easy: “Even if Anthem had used encryption, the data could have still have been compromised. Encryption is just one part of the arsenal that organizations need to deploy to secure sensitive data. Encryption is great for securing data in transit and at rest, but if the credentials and keys are compromised it does little to protect the data. The bigger issue in many breaches is that organizations haven’t properly implemented data access security controls.”
According to the author of the MIT Technology Review column, “It’s ridiculously easy for cybercriminals to find the information they need to compromise almost any organization. A quick look at Anthem job postings and LinkedIn profiles was enough for me to identify the software Anthem uses for its data warehouse. From there, I could easily identify more than 100 people, such as system architects and database administrators, who would have privileged access to the data warehouse storing tens of millions of sensitive personal records.”
Is the solution to keep your own system administrators from posting too much online? The column’s author says security practices do need to be reviewed in every industry that has an online presence — which means, really, every industry. Encryption alone is not enough.
The government is trying to help as well. Earlier this week the White House announced the formation of a “Cyber Threat Intelligence Integration Center.” As the mission statement for the Center noted, ““No system is immune to infiltration by those seeking to steal commercial or government information and property or perpetrate malicious and disruptive activity.”
Whether a new layer of intelligence-gathering will keep everyone’s personal information safe — or private — remains to be seen. But AVPS’ mission remains the same: To bring you both service, and security. Feel free to get in touch with your AVPS Rep about bolstering either end of that equation — from new methods of payment convenience for your customers, to new programs for fraud detection in transactions.
We were thinking about security before it was fashionable. Let’s think together about yours.