Lack of encryption, phishing suspected as flaws in U.S. data breach

By now many readers know that one of the biggest private health care providers in the U.S. was the victim of a massive data breach. The question is what we can learn from it, at least from what has been disclosed so far.

Perhaps tens of millions of unencrypted personal records at Anthem Inc. were made off with it was learned after the break-in was revealed Feb. 4. The good news is credit card information wasn’t likely exposed. The bad news is other sensitive data was, including names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data — in other words, enough for someone to create phony IDs.

Why no encryption? Apparently, according to SC Magazine, the institution felt it had other security strategies, including limiting access to that particular database. In fact the breach was discovered by a database administrator who spotted a query running under his name that he hadn’t made.

Even though the files weren’t encrypted, the Anthem breach has started a debate on the value of encryption, the Web site says, with a number of people pointing out that encryption is essentially defeated if the hacker gets hold of credentials of a staffer who has authority to read protected files — and in the case of Anthem it looks like that’s what happened.

In fact CSO Online quotes an Associated Press report that five Anthem staffers had their credentials compromised.

“Encryption doesn’t go any good if you are taking over a user account that has the ability to see the data in the clear,” a Gartner security expert told SC Magazine.

So one lesson is that in addition to encryption organizations need to have network monitoring to watch what is leaving the organization and where it is going.

CSO Online also asks if two-factor authentication could have prevented the attack. It seems unlikely given the attacker apparently already had a DBA’s credentials. “It will be interesting to discover of what exactly the DBA’s credentials consisted,” the site quotes John Zurawski, vice-president at Authentify, as saying. “If they were simply a username and a password, shame on Anthem. Even President Obama has figured out that systems containing PII need two-factor authentication, and said so in his Presidential cybersecurity directive.”

So the fact that the DBA credentials were taken and maintained suggests a phishing attack was used. If so, here again more sophisticated network monitoring and better social training for staff could have mitigated the attack.

It will be interesting to see if Anthem reveals more evidence of what actually happened.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web