Anthem Breach: How Hackers Stole Credentials and Why Two-Factor Authentication May Help Prevent Future Phishing Scams

Monday, February 09, 2015

Thu Pham


Indianapolis-based Anthem Inc., the second largest healthcare insurance provider, recently reported a data breach affecting 80 million customers and employees, according to the Wall Street Journal. The breach itself occurred in mid-December, 2014, but wasn’t discovered until the end of January 2015.

So how did they do it?

It was revealed that hackers were able to somehow obtain the access credentials to an Anthem database, as Anthem’s CIO told the Wall Street Journal. And as the Associated Press reported, hackers were able to steal the credentials of five different technical employees during their attack.

The company reports that no medical or financial information was exposed, but their names, birthdates, medical IDs, Social Security Numbers (SSNs), physical addresses, email addresses and employment information (including income) were breached. Anthem offers Blue Cross Blue Shield insurance with office locations in California, Colorado, Connecticut, Indiana, Maine, Ohio and many other states; and insures one in nine Americans.

Data breaches revealed last year put this particular healthcare breach near the top when it comes to the most records breached - Target’s breach affected 40 million, Home Depot - 56 million, and JPMorgan Chase topped it out at 76 million.

A History of Database Security Problems

However, this isn’t the first major data breach for the company. Anthem was also formerly known as WellPoint, which might ring a bell for those that have been following the healthcare data breach headlines for a few years now. In July 2013, WellPoint was fined $1.7 million by the Department of Health & Human Services (HHS) after the company violated HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance in 2010.

In that case, a ‘security weakness’ in an online application database rendered more than 600,000 records containing electronic protected health information (ePHI) publicly accessible online. The lawsuit brought against the health insurer by the federal government claimed that WellPoint didn’t have technical safeguards in place to verify the identity of users accessing the data in their application database; suggesting they had poor access and authentication security in place at the time.

In the 2010 incident, hundreds of thousands of medical and personal records were leaked online. While the most recent incident leaked only personal information, not medical (therefore, they’re not within scope of HIPAA, as HIPAA only sets standards for protected health information) - the breach was very clearly a direct attack by an external entity as opposed to an oversight in database security.

However, it would appear that the company has trouble securing its databases containing sensitive information. Anthem’s CIO told the Wall Street Journal that they first detected the attack when a systems administrator noticed that a database query was sent using his identifier code, although he hadn’t initiated it. That suggests that a hacker had gained legitimate access via system administrator credentials - signifying a potential phishing or other credential-stealing attack.

In immediate remediation, the CIO reported that Anthem has reset all employee passwords with privileged access to its data systems, and blocked access that involves only one password. But that doesn’t really address password-targeted attacks, including social engineering efforts, such as phishing emails, and it certainly doesn’t address repeated phishing attacks against employees or customers.

Phishing Scams Target Anthem Customers

And it would appear as though Anthem victims are already being targeted in phishing scams launched hours after the breach announcement, as reports, suggesting that the data has already fallen into the wrong hands. Seeking to exploit the incident to steal financial and personal data from Anthem customers, phishers have sent out emails with a link persuading users to “click here to get your free year of credit card protection.” They’re also calling cold-calling customers as part of the scam.

Anthem stated that any legitimate notifications from the company will be sent only via postal mail. In an FAQ about the breach, they also added a note about scams:

Q: I think I received a scam email related to Anthem’s cyber-attack?

A: Members who may have been impacted by the cyber-attack against Anthem, should be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as “phishing”) are designed to appear as if they are from Anthem and the emails include a “click here” link for credit monitoring. These emails are NOT from Anthem.

DO NOT click on any links in email.
DO NOT reply to the email or reach out to the senders in any way.
DO NOT supply any information on the website that may open, if you have clicked on a link in email.
DO NOT open any attachments that arrive with email.

Two-Factor Authentication Protects Administrator Access

Phishing attacks bypass a number of security controls, including encryption, and they are often the easiest and most successful ways to get access and data. If the Anthem attack was carried out as the result of using a single password, their access security wasn’t up to industry standards.

Two-factor authentication may have thwarted attacks by requiring the use of a personal device to verify the identity of a system administrator or other technical employee with access to their database of millions of sensitive records. It’s considered best practice for any type of company with sensitive data, and it’s rather revealing of the security health of the healthcare industry if the second-largest health insurer didn’t have it in place.

To learn more about how to help navigate through some of the new risks in the retail industry, please check out this free guide that provides a detailed overview of the retail industry's current state of security and recommendations on safeguarding customer financial information.

Cloud Security General HIPAA PCI DSS General General Infosec Island Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Post Rating I Like this!
sophia fernandez Hi, I think u have posted the best article according to information. keep it up I will be glad to see such informative and helping article from u

hope u will also like our essay writing

for more visit

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.