By now many readers know that one of the biggest private health care providers in the U.S. was the victim of a massive data breach. The question is what we can learn from it, at least from what has been disclosed so far.

Perhaps tens of millions of unencrypted personal records at Anthem Inc. were made off with it was learned after the break-in was revealed Feb. 4. The good news is credit card information wasn’t likely exposed. The bad news is other sensitive data was, including names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data — in other words, enough for someone to create phony IDs.

Why no encryption? Apparently, according to SC Magazine, the institution felt it had other security strategies, including limiting access to that particular database. In fact the breach was discovered by a database administrator who spotted a query running under his name that he hadn’t made.

Even though the files weren’t encrypted, the Anthem breach has started a debate on the value of encryption, the Web site says, with a number of people pointing out that encryption is essentially defeated if the hacker gets hold of credentials of a staffer who has authority to read protected files — and in the case of Anthem it looks like that’s what happened.

In fact CSO Online quotes an Associated Press report that five Anthem staffers had their credentials compromised.

“Encryption doesn’t go any good if you are taking over a user account that has the ability to see the data in the clear,” a Gartner security expert told SC Magazine.

So one lesson is that in addition to encryption organizations need to have network monitoring to watch what is leaving the organization and where it is going.

CSO Online also asks if two-factor authentication could have prevented the attack. It seems unlikely given the attacker apparently already had a DBA’s credentials. “It will be interesting to discover of what exactly the DBA’s credentials consisted,” the site quotes John Zurawski, vice-president at Authentify, as saying. “If they were simply a username and a password, shame on Anthem. Even President Obama has figured out that systems containing PII need two-factor authentication, and said so in his Presidential cybersecurity directive.”

So the fact that the DBA credentials were taken and maintained suggests a phishing attack was used. If so, here again more sophisticated network monitoring and better social training for staff could have mitigated the attack.

It will be interesting to see if Anthem reveals more evidence of what actually happened.

  • Ulf Mattsson

    I agree that “Encryption doesn’t go any good if you are taking over a user account that has the ability to see the data in the clear.” Instead you need data neutralized to reduce its value to hackers.

    Aberdeen Group reported in a very interesting study with the title “Tokenization Gets Traction” that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

    Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

    Ulf Mattsson, CTO Protegrity