Anthem hack offers big lessons for business, consumers

Anthem's massive data breach last month and those at other companies in recent years may have surprised consumers.

But the vulnerabilities are no shock to security experts, who say many companies have gathered so much information over the years that it's difficult for them to know where it's all stored and to prepare for every potential threat.

The situation is a byproduct of an economy that is built around the convenience and openness of the Internet but one that lacks the security to keep sensitive data safe.

"There is a big lesson, and it's not good news at all," said Fred Cate, professor at Indiana University's Maurer School of Law in Bloomington. "Our economy, our lives, our businesses, our entertainment all depend on data that is not secure. Big or little, it doesn't really matter, your 80 million records at Anthem or your couple million credit cards at Jimmy John's. ... We have not figured out how to secure data."

Anthem officials continue to assess the impact of the compromised database, which contained the names, home and email addresses, Social Security numbers and other information of about 78.8 million current and former members dating to 2004. An estimated 4.5 million Hoosiers are included in the breach, as well as about 19 million consumers covered by a network of non-Anthem Blue Cross and Blue Shield operations across the United States and Puerto Rico, according to Tony Felts, an Anthem spokesman.

While Anthem's investigation in conjunction with the FBI continues, the company has tried to cushion the damage to consumers.

Beginning Monday and continuing over several weeks, Felts said, the health insurer will send letters to consumers affected by the breach with details about how to sign up for free ID theft protection and credit monitoring. But current and former members of Anthem and non-Anthem plans don't have to wait for the letter to arrive to enroll in the service. It has been available since Feb. 13, and so far, more than 300,000 people have signed up.

Experts say the record breach has put the health care industry on notice that its massive databases are ripe for cyber thieves. It also could be an early indicator of breaches to come for companies with exposed data.

In a January report, researchers at the Ponemon Institute called 2014 the year of mega breaches and predicted that 2015 would be as bad or worse as more confidential information and transactions are moved to the digital space and become vulnerable to attack.

Ponemon, which conducts independent research on privacy, data protection and information security, surveyed 735 information technology professionals about breaches at their companies. Among the responses, 65 percent said the attack evaded existing preventive security controls, and 55 percent said they were not able to determine where the breach occurred.

J.J. Thompson, chief executive and managing director of Rook Security, a Downtown Indianapolis-based firm, said even with the best information security professionals in the world, "sometimes it's not about the technology and it's not about whether you have the smartest staff. It's all about whether you have the right way of identifying problems and resolving those problems in a timely manner."

Thompson's team of 54 security experts does battle every day to protect a client roster of mostly Fortune 500 firms and tech startups against threats lurking in cyberspace.

He said companies have so much consumer information that when it is dispersed, analyzed and emailed throughout an organization, it just sprawls everywhere.

Large enterprises such as Anthem, Target and others struggle, Thompson said, "because they don't adequately identify weaknesses and get them fixed fast enough. The second piece is many don't have the right visibility capabilities so they don't have monitoring on all of their sensitive data sets. To say that to people just blows their minds, but the majority of large enterprises don't even know where all of their sensitive data is, let alone know how to protect it."

In the Ponemon survey, it took one-third of the organizations more than two years after an incident to discover the location of a breach.

"Anthem Information Security has worked to eliminate any further vulnerability and continues to secure all its data," Felts said. "Cyberattacks are continually evolving, and cyberattackers are becoming more sophisticated every day. We will continue to take steps to make our systems more secure."

What's the data worth?

The value of consumer data to hackers can vary depending on the type of information.

"The easiest information to exploit is credit card numbers," said Cate, the IU law professor who is head of the university's Center for Applied Cybersecurity Research and Center for Law, Ethics, and Applied Research in Health Information. "If you give me a thousand stolen credit card numbers, I can check them instantly. They're easy to verify if they're still working or not. I can go spend money on them instantly, but they're going to have a short life span. (The victim) can just change the number, and it no longer works.

"We think of Social Security numbers and birth dates as being more valuable because you can use that information to open new accounts, to reset the passwords of existing accounts, but as a practical matter we don't see a lot of that happening," Cate said.

"Forensic experts say the type of data involved in Anthem sells for more on illicit Internet websites, but it doesn't seem to sell as quickly, and we can't seem to find as much evidence of it being used as we can with stolen credit card numbers or passwords or things like that."

Regardless, there are questions about whether companies can independently establish sufficient safeguards to shield consumer data from bad actors in cyberspace.

A bill moving through the state legislature — Senate Bill 413 — would toughen rules on how companies handle consumer data and limit the length of time the information can be stored.

Indiana Attorney General Greg Zoeller proposed the measure before the Anthem breach happened, but the attack has added momentum, said Sen. Jim Merritt, R-Indianapolis, the bill's author. Thompson is serving as an adviser.

"What we hope to see is that the state legislature adds in minimum controls that companies have to be held to," Thompson said. Among the suggested standards is requiring any company that collects data to encrypt or disguise data. He said businesses have a responsibility to protect consumer information and there should be laws to make sure that happens.

"I'm saying that if somebody is going to have my grandmother's personal information, then they need to protect it, and we need to be clear with them on what it means to protect that data."

At least two states already have imposed minimum standards. Massachuetts and Nevada have a list of 20 to 50 controls with which organizations must comply if they possess consumer data, Thompson said. "These are things like technical configurations, self-assessment, things like testing that controls are in place when you have consumer data in your possession. Those states have put minimum standards in place. It's important that we do as well."

Whether there's enough momentum to drive Washington to act remains a tossup, Cate said. But the Anthem attack "will come as close to pushing them over the edge as any breach we've ever seen," he said.

How necessary is it?

Cate is optimistic that industries will start taking baby steps toward thwarting hackers.

"We're seeing companies asking, 'Do I need to store all of this data? You can't steal it if I don't have it? Like why did Anthem store all the data on their previous customers as opposed to current customers?' "

Felts, the Anthem spokesman, said the insurer is required by law to retain enrollment records for a certain period of time. But its policy to retain records for 10 years from the date of coverage is no longer effective.

Another motivation for businesses is cost. An analysis by the Ponemon Institute determined that each breach cost companies an average of $3.5 million to resolve, and the cost increases every year.

"As the cost goes up for having data stolen, you're not going to keep paying someone to figure out what you have and what you can get rid of," Cate said.

Avoiding liability also may be an incentive to limit the amount of consumer information that businesses — large and small — collect.

"Every doctor I go to asks for a copy of my driver's license. Well, every time they do that, I just think you're writing liability all over your office door, because when some disgruntled employee steals those, I'm suing. Pretty soon I think we're going to start seeing places that say, 'I thought it was a great idea to collect those, but maybe we don't really need them.' That will be good for all of us."

Call Star reporter Leisa Richardson at (317) 444-6378. Follow her on Twitter: @leisarichardson.

To get help

•Anthem is offering free identity protection services and credit monitoring to current and former members. Consumers affected by the security breach can access the services at any time during the next two years. Details are at anthemfacts.com. People without Internet access can call (877) 263-7995.

•To learn about the free credit freeze that prevents fraudsters from opening a line of credit in a consumer's name, go to www.IndianaConsumer.com. If you don't have Internet access and want to register for a credit freeze, call the Indiana attorney general's office at (800) 382-5516.