The Chinese just walked out of Anthem’s enormous data warehouse (though without encrypting their data it might as well have been a troop of Girl Scouts) with personal data on a quarter of America’s population. Assuming that the pro forma outrage and denial is a confirmation of culpability, the People’s Liberation Army and its various subsidiaries will comb over this and other data they hoover up in the maw of their cyber apparatus for defense and economic intelligence purposes for years, further enabling their surveillance and exploitation of Americans they find interesting.
There are intelligence overtones to the intrusion. According to some reports it fits the pattern of a Chinese government hacking team with the ironic moniker of Deep Panda, which over the last several months has targeted both defense contractors and the health care industry. The ability to plumb identity and health-related behaviors is part of a robust HUMINT gathering program by a nation-state seeking to identify openings about or to help them impersonate key individuals. The idea that China or any other potential adversary is vacuuming details on every citizen it can get its hands on should raise the hackles of everyone from the commander in chief on down.
This is one of the largest corporate breaches ever and has significant fiscal, legal, and intelligence implications. The latest reports indicate that the breach occurred because the data was not encrypted and the attacker used the credentials of an authorized user.
The purpose of this attack differs from the Target and Home Depot hacks last year (committed by run of the mill East European crooks looking for anything they could steal or sell). This is industrial scale gathering of HUMINT data on an entire population. It’s one thing if Google and Facebook are doing it and quite another when the spies of another country do it. It is likely that Chinese spymasters are strategically using cyberspace for the long term exploitation of the online existence of entire nations.
In response to this and other breaches, the executive branch recently announced that it is going to tackle the problem by making another bureaucracy. Frankly, it is just a rebranding of the ongoing shuffling of deck chairs which takes the various entities that can’t do much about the problem and puts their representatives in the same room – wait, they’ve been doing that for awhile – but the latest effort puts the Director of National Intelligence in charge and may yet yield a different outcome if there is coherent execution authority. If this is a real attempt to actually change the status quo, great, but there has to be leadership, will, and initiative along with the organizational shuffling of the usual suspects.
Our cyber warriors and cops are beset by lawyers and an overabundance of caution on the part of their political leadership which is paralyzing the operational process of identifying, disrupting, and deterring cyber attack. Acknowledging the problem is a great first step but one we keep making ad infinitum.
All that being said, let’s take a look at what is known about the Anthem hack so far:
Anthem, Inc., (formerly known as WellPoint) is the nation’s second largest health insurer and reportedly suffered a data breach of as many as 80 million customer records, twice the size of the Target hack last year. What did they get? Lots of personal information but so far there is no indication that medical data was compromised (there is plenty of time to figure that out).
Anthem discovered the security breach when an employee noticed someone was searching a database using his credentials. Investigators tracked the data to a cloud service outside of the company, where they were able to lock it down, Anthem says, although it doesn’t know if hackers had already copied the data or moved it elsewhere. This is one of the largest (in terms of customers affected) corporate breaches to date and has significant fiscal, legal, and intelligence implications.
- The breach was only detected because the administrator whose credentials were taken noticed that his identity was in use elsewhere when he logged in.
- Luck, not the company’s cyber defenses, identified the attack.
- The company and its leadership knew that they had data security problems since at least 2013
- Lawsuits have already been filed in several states.
- The company and its board will probably be sued a la Target.
The first impact is cost. The rule-of-thumb cost of a data breach hovers at $200 per record (pro forma costs are credit reporting at $10 per person per agency, $60 total for a couple, administrative costs for outreach, and cyber investigation/response and damages on top of that, etc…). As an example the publicly acknowledged cost to date of the Target hack is in excess of $140M and this number does not take into account loss of reputation and revenue. That attack was half the size which implies an exposure around $300M, all else being equal.
Secondly, litigation – the company was fined almost $2M under HIPAA in 2013 for poorly secured patient information. The data taken in the current incident was not encrypted “in order to make it more useful”. In the event that a corporate board is aware of cyber vulnerabilities which result in the loss of customer/corporate PII (Personally Identifiable Information) it is increasingly likely that both it and individual members will be sued along with the company. In a similar case attempting to hold corporate leadership accountable in a cyber compromise a federal court is allowing a suit against Target and its board to proceed.
Finally, the compromise of Anthem’s data systems makes clear that the penalties under HIPAA are not forcing enough change fast enough in the health care industry’s data management.
This incident raises several specters:
- Cyberattacks are increasingly frequent and more expensive both fiscally and operationally,
- It still takes months, not days or weeks, to detect an attack (and this one was not that sophisticated)
- Our toothless response as a nation is doing little to deter attacks.