Our first large scale data breach of 2015 and its cause, according to Anthem President and CEO Joseph Swedish, is, “These attackers gained unauthorized access to Anthem’s IT systems…”. Just as with all of the largest data breaches that happened in 2014, this one involved some form of unauthorized access, whether it was through direct access or remotely controlled malware.
This breach continues a three-year trend. Breaches in the medical/healthcare industry topped the ITRC 2014 Breach List, comprising 42.5 percent. It’s clear that healthcare payers and providers need a strategy for detection of attackers using legitimate stolen credentials to impersonate employees.
Since the announcement, we know of a few details through a variety of sources:
- The hackers obtained the credentials of five different employees to try and penetrate the network.
- The hackers may have been inside the system since December.
- Internal database administrators discovered the breach after noticing strange queries being executed and investigating.
- The data was not encrypted. Anthem spokeswoman Kristin Binns said encryption would not have thwarted the latest attack because the hacker also had a system administrator’s ID and password. She said the company normally encrypts data that it exports.
- Patrick Nielsen, a senior security researcher with Kaspersky Lab, says Anthem’s hacked databases included information about some former customers, and wondered why that data was still around. “Once they’re former members, it’s probably not necessary to keep that information around,” he said.
Adam Meyer, chief security strategist of threat intelligence consultancy SurfWatch Labs, says the database administrator who discovered the breach saw his own credentials being used to perform the queries. He goes on to say that CIOs should be looking at what their exposures are and the most exposed services on the Web, as well as their employees who are surfing the Web and clicking on email. But they can do a few things to identify abnormal behavior that could suggest malicious activity is occurring. They should review database activity and the account activities of privileged users.
One possible solution would be to implement user behavior intelligence solutions to detect subtle differences in behavior between an employee’s credential accessing systems and data for legitimate reasons and an attacker that is trying to steal data.
EMC’s “The Digital Universe” report points out that 93 percent of data healthcare organizations hold requires protection. Additional information will come out over the coming weeks, but it’s clear that a valid set of user credentials is an attacker’s coveted asset and with them is able to sidestep initial point of compromise solutions.
Want to see a solution that finds attackers that utilize valid user credentials?