When Hackers Attack:  Who is the Real Target?

(Commentary and Guidance Regarding the Anthem Data Breach)

February 2015

Last week, Anthem Insurance Companies reported a data breach and the possibility that 80 million customer and employee records were stolen. Social Security Numbers, addresses, and employment data, including compensation, are likely to have been compromised. Coming on the heels of another recent, high-profile breach (Sony Pictures), it is easy to become discouraged and fearful. First thieves wanted my credit card data; now they are after my address? Social Security Number? Employment history?

Early indications are that this most recent attack, like Sony before it, is an example of possible “state-sponsored” hacking, as opposed to the more traditional kind perpetrated by criminal gangs bent on short-term financial gain. Whereas criminal gangs want to remain undetected for as long as possible in order to carry out their thefts, state-sponsored actors revel in the frothy headlines, panic, and speculation regarding both the damage inflicted on the target, as well as the capabilities of the actor in the future.

The targets here are the companies and their reputations, rather than financial data. The hope is to disrupt, embarrass, and cause financial loss for the target first, rather than harvest data to be used for identify theft (which remains as a profitable secondary consideration). The $100 million estimated cost to remediate a large company breach is material for anyone.

What is to be learned from these cases? In the case of state-sponsored hacking, the immediate risk to the customer victim may be less urgent than in past events where stealing money from the target’s customers was the primary goal of the hack. Instead, the immediate risk to customers is from opportunistic thieves taking advantage of fear and panic to disgorge other sensitive data from the general public and perpetrate more traditional kinds of frauds. These thieves may call seniors asking for their Anthem user accounts and passwords, targeting them with urgent texts and emails imploring them to “click here to provide your information so that Anthem can contact you to establish a new account…”

The changing dynamic of these hacks requires us to change the ways we react. Fear, and the urge to do something, can set us up for damaging responses when we allow panic to cloud our judgment.

How should we respond to these issues?

For customers, the charge is clear:

  1. KNOW who has your data,
  2. SECURE usernames and passwords according to best practices, and
  3. BE SAVVY to attempts from criminals to leverage stolen data to commit fraud.

Above all, be skeptical, and never respond to unsolicited phone calls and emails asking for your data. Most legitimate companies such as your bank or health care provider don’t do business this way.

For companies, the highly-sophisticated attacks on both Sony and Anthem appear to have a common denominator in the compromise of administrator passwords to inflict maximum damage. The importance of protecting these highly-privileged accounts is not new for information security, but the difficulty of securing this data has become harder in recent years with the increased use of social media.

Let’s take a quick look at LinkedIn, for example: From my desk, a quick research of Open Jobs for a potential target company gives me a good idea of what types of information systems and databases they run (i.e. from the skills they are hiring), as well as a rough location of corporate data processing locations. Another query of People shows me some first and last names of people, and their roles, which indicate who might have elevated privileges worth targeting. I may not have the keys to the kingdom, but I have made a lot of progress in thirty seconds…

In the coming weeks we’ll learn more about what happened and when. In the meantime, as customers, it is worth considering the most pressing risks in a breach of this nature, and as business people, it might be worth a look at what our social media profiles say about us and our organizations. Are we making things easy for scammers?

Some additional resources are provided below that our readers may find helpful.

  1. Information from Anthem regarding their attack
    • http://www.anthemfacts.com/
    • http://www.anthemfacts.com/faq
  2. A BNN article addressing identity theft
  3. A good description of various forms of identity theft, and how to guard against them
    • http://www.utica.edu/academic/institutes/cimip/idcrimes/schemes.cfm

If you have any questions or would like to discuss this further, please contact your BNN advisor at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.