The Anthem Breach

By Jeralyn, Section Crime in the News
Posted on Fri Feb 06, 2015 at 08:24:00 AM EST
Tags: cyberattack (all tags)

Share This: Digg!

It's bad enough that 80 million people insured through Anthem have had their personal data stolen by hackers.

The hackers gained access to up to 80 million records that included Social Security numbers, birthdays, addresses, email and employment information and income data for customers and employees,

What's worse, is there's very little that can be done to protect yourself now that it's happened. [More....]

Anthem's fact page is here. It's very sparse at the moment. They say credit card information is safe. They don't mention whether electronic banking information is safe as well. A credit card is easy to change. A bank account is much more of a hassle.

How are hackers going to sift through 80 million people's personal data to make use of it? Are they going to sell it off in batches? Are there enough buyers? What are the odds my data or your data will find its way to someone who tries to fraudulently use it? 1 in a million or more or less?

Would it be helpful for people to change the passwords and security answers for their bank accounts and credit cards? Aren't those the accounts we really need to protect? To get a new password, most banks and credit card companies require security answers. If we change those post-hack, even knowing our social security numbers shouldn't be enough to get a new one, or for thieves to log in, change our address and have a new card sent to them in the mail.

I have one credit card that doesn't allow me to log in from a computer it doesn't recognize (including a computer I've used before, just not in the past few months.) I get a message asking me for my home phone number. My phone rings almost as soon as I hit "click" and a recorded voice gives me a number code to log in with (in addition to my password.) Even if the thieves had my phone number to type in, since they wouldn't get the phone call, they wouldn't get the code.

Another question: How accurate are these credit monitoring services? I've used one for years that covers the three major credit bureaus, but I wonder whether they do anything besides alert you to a new credit inquiry or change of address. If someone has your data and uses it to buy something on an existing account, why would a monitoring service flag it as problematic?

Stricter cyberlaw penalties are not going to solve the hacking problem. I also doubt monitoring services are sufficient protection. If companies don't encrypt all our information, we're vulnerable and there's not much that can be done about it. Maybe we should all go back to paying our bills by paper checks using the U.S. mail intstead of the internet.

< Jordan Frees Al Qaida Spiritual Advisor | ISIS Claims American Hostage Killed by Jordan in Airstrikes >

Legal

Nothing on this site should be construed as legal advice. TalkLeft does not give legal advice.

TalkLeft is not responsible for and often disagrees with material posted in the comments section. Read at your own risk.

The Anthem Breach | 30 comments (30 topical)

Readers Must Login or Create an Account to Comment

Yet another reason, well, why a lot (none / 0) (#1)
by scribe on Fri Feb 06, 2015 at 05:18:53 AM EST

of things were better off the way they were, why I'm glad I didn't get Obamacare, and why I like writing paper checks for my bills.

As I understand it, the press has not come out one way or the other to say whether the electronic health records have also been compromised. Putting health records on computers was one of the things Obama touted as a major improvement to come from Obamacare. Yet all I see is the potential for the kind of extortion recently highlighted in the series of stories about "ransomware". That's where someone gets a bug on your computer, one that denies you access to your files and will turn the computer into a briok in a certain amount of time. The demand is that you pay them a couple hundred bucks in Bitcoin and they'll give you the key to stop the countdown. Suppose, for a moment that a couple years ago you were successfully treated for, say, a social disease. Or lice. Or something you don't want broadcast to the world. Imagine the blackmail potential in an electronic health record - one that doesn't ever go away - in the hands of extortion-minded folks.

I'm convinced that the only way companies that aggregate our data will get their thumbs out of their axes and start actually protecting it, is if the presidents of those companies and the members of their boards are held personally liable. Right now, the people running companies have absolutely no incentive to actually protect the data, and can finesse the balance sheets and payouts, if any, for breaches such that it costs their companies nothing. Put a CEO in FCI Florence and watch that change.

Until that happens, I'm sticking with backing up frequently, a dumb phone, strong passwords, and paper checks with accounts that do not allow electronic transfers out. At present interest rates (I got 0.05 percent p.a. on my savings account last month - that's $5 annual interest for every $10,000 on deposit) it's almost saner to keep it in cash in a mattress, but for the fact the local or federal cops might decide (very wrongly) those were the proceeds of drug dealing and seize them.

I wonder (none / 0) (#2)
by lentinel on Fri Feb 06, 2015 at 09:42:19 AM EST

about the bit coin currency.

That would seem to be especially vulnerable to hacking.

I also wonder whether the loss of paper money and real coins would simply enable the government to track our every move even more easily.

No cash transactions would be a tax collector's dream.

And I wonder how safe is Paypal. They do recognize if you are using your own computer - so for the moment I feel safe...
But am I really?

Someone able to hack into ones Paypal account would be beyond nightmarish.

Those were the same questions I had (none / 0) (#3)
by nycstray on Fri Feb 06, 2015 at 11:58:49 AM EST

I'm guessing they've got a way to sort the info, but I'm just not getting these massive hacks on places. It's kinda like, okay we get it it, you can hack and get our info and use some of it, but really, how much do you need? Wouldn't hacking Wall St or the 1% be more fun :P

Sure would... (none / 0) (#4)
by kdog on Fri Feb 06, 2015 at 12:10:28 PM EST

but the 1% have the resources to prevent it and/or protect themselves, and get preferred citizen treatment from the crooked credit reporting agencies should a fraud occur, outside of the legal frauds they perpetrate themselves daily of course. Like so many things, our problems are not there problems, they're above it.

Err, in this case I should say "your problems". Though I suppose I'm susceptible to identity theft, I am immune from hacking. Neener-Neener! (j/k);)

And everytime a big hack like this happens, it slows the roll towards a cashless society...which makes me very happy.


On the News This Morning... (none / 0) (#5)
by ScottW714 on Fri Feb 06, 2015 at 12:33:06 PM EST

...they claimed that the hackers were Chinese and there was a fear that some of the medical information could be used to for espionage, presumable to blackmail people with sensitive medical information.

I think there is a larger point here, this isn't target or credit card information, this is highly sensitive information that we, as consumers, have absolutely no control over. To me if they can't protect this kind of information it should not be connected in anyway to the the internet.

It benefits us in no way, well I guess if you get sick and you are away from home, but that should be our choice, not theirs. They are playing fast and lose with our personal information that we have no choice in giving them, and when it's 'lost' to hackers, they should pay sever penalties. Not this free services BS.

Real compensation, not some gimmick related to credit when they stole medical files.

I have since left Big Medical and moved to a small doctor's office in which my history is still a paper file. But all the billings are at risk, which presumable one could decipher my medical history by looking at the charges, just not near as easy, and unlike medical history, is not centrally located as my provider has changed numerous times.


The idea that responding to this stuff (none / 0) (#6)
by CaptHowdy on Fri Feb 06, 2015 at 12:39:40 PM EST

more aggressively will not help is IMO wrong. That is exactly what we should do. These records ultimately are going to end up online unless you live off the grid. And most don't and won't. These acts should be IMO treated as what they are. Terrorism. Individuals and governments, like China if indeed they are Chinese, should be pushed right to the wall to stop it.
China has gotten away with this pirate cr@p for way too long. It's time to call them out and force them to stop it.
It's time to stop looking away because they own all our debt. IMO that was part of their plan.


Isn't it overblown though? (none / 0) (#7)
by kdog on Fri Feb 06, 2015 at 12:46:22 PM EST

I mean I know getting your bank account hacked/identity can be a nightmare...but it's one of those first world nightmares, which is really no nightmare at all. It's not cancer, it's not a gunshot wound...it's the internet and electronic data.

If all war was of the cyber variety, and all theft of the cyber variety...wouldn't that be a better world than the one we live in, where most war still involves blood, and most theft is legal and some percentage of illegal theft involves violence?

Not to say it's not a problem...only that we got much much bigger ones.


With due respect (none / 0) (#8)
by CaptHowdy on Fri Feb 06, 2015 at 12:48:35 PM EST

that's easy for you to say since you don't have a bank account. It can literally destroy a persons life. Their hopes for paying for the education of their children or pay ping for their retirement or their family after death.

No. It is not overblown enough.


I Would Argue... (none / 0) (#10)
by ScottW714 on Fri Feb 06, 2015 at 01:22:36 PM EST

...that almost all financial stuff is insured, might be a mess, but at the end of the day your account will have the balance it should. Even credit cards, I mean who cares, charges you don't authorize are not yours, period.

Identity theft is another story, but at this point if you aren't monitoring your credit, well, come on, get into this century, there is no excuse for not getting an email when a new line of credit is opened under your name.

What I don't like, is companies being hacked aren't held accountable, at all, or even investigated. "Here is your free credit monitoring, now F off." Yeah, I monitor my credit for free all by myself, what I would prefer is the people with sensitive information, especially the ones I have no choice in giving, like health care, to have in place the necessary security to not get hacked, you know like most companies.

The Chinese aren't going to stop whether you call it hacking, terrorism, or Armageddon. The Chinese aren't the ones I am putting my trust in with my data. If my bank gets robbed, I don't care who did it, I want to know why my bank was that one targeted, surely the criminals saw something they could exploit, and then did it.

These companies are at fault for not having the necessary security to keep their data secure. Everyone else manages to do it, and it's not dumb luck they picked this or that company, they go after and exploit weaknesses in security and they aren't going to stop. What can be controlled is security, and if they aren't up to the task, we should fine the H of out them until they figure out pinching pennies on the security of other people data is not going to help their bottom lines.


I know enough tech nerds (none / 0) (#11)
by CaptHowdy on Fri Feb 06, 2015 at 01:25:28 PM EST

to know I am not one. But one thing I do know is that "hack proof" is a pipe dream.


: Well Since... (none / 0) (#22)
by ScottW714 on Fri Feb 06, 2015 at 03:02:28 PM EST

...Matthew Broderick hasn't launched any missiles, there are certainly systems hackers have been unable to penetrate.
But that wasn't the point, security is not equal, we used to have what I would call very lax security, now it's top notch. There is a reason they hit some companies and not others and it ain't because they are throwing darts at phone book.
Of all the insurance companies why Anthem, because the system was the easiest to penetrate, it was flawed. And a fine should reflect that, let the government decide if they had adequate security or not, and assess accordingly. If it was top notch, no fine, if it was 2001 style, smack them up side the head. The point is now, we only have their word they were adequately prepared.

Though if we fine the hell outta 'em... (none / 0) (#15)
by kdog on Fri Feb 06, 2015 at 02:04:32 PM EST

whose to say they won't just jack up their prices to cover the fine and keep the sh*tty security?

Look at the JP Morgan Chase, fines are not an effective deterrent for big business.

You're holding the right folks responsible, but personal and corporate responsibility are for little people and small businesses...there is no such thing among the Fortune 500.


Because the Entire Buisiness Model... (none / 0) (#21)
by ScottW714 on Fri Feb 06, 2015 at 02:53:54 PM EST

...is based on staying competitive. What company wouldn't raise their prices if they wouldn't loose customers.


Which business model? (none / 0) (#24)
by kdog on Fri Feb 06, 2015 at 03:21:25 PM EST

Selling TV's yeah...selling health insurance or financial products, not so much. Those markets are too crooked for normal business models to apply.

Chase, Citi, BofA...they've covered their fines and profited greatly by screwing their customers over and over, and their customers seem to stay put. Why I really don't know...conditioned to be screwed and like it maybe?


Really.. (none / 0) (#25)
by jondee on Fri Feb 06, 2015 at 03:46:06 PM EST

they laundered literal blood money for years; without a shred of "plausible deniability".

But no single member of the corporate hive-entity is at all responsible for the crimes that thousands of less-connected people are rotting in prison for..


: The Entire Purpose... (none / 0) (#28)
by ScottW714 on Fri Feb 06, 2015 at 04:33:10 PM EST

...of a corporation is to deflect liability, financial, legal, and moral. It serves no other purpose.

Would you rather have... (none / 0) (#13)
by kdog on Fri Feb 06, 2015 at 01:54:27 PM EST

your bank account emptied by hack, or would you rather be held captive for a week by armed men as they emptied your bank account at gun point via several ATM withdrawals?

Again, I understand how much it would suck, and I also understand my odd lifestyle choices shield me from much of it, but it's a far cry from "destroying a life"...if it can "destroy a life", that's only because we as a society think money is more important than people, and give the zeros in a hard drive somewhere the signifigance to destroy lives. And we can't exactly blame that mess on hackers, as nefarious as the criminal and espionage hacking element may be.


One mans story (none / 0) (#14)
by CaptHowdy on Fri Feb 06, 2015 at 02:04:31 PM EST

Identity fraud nightmare: One man's story

I have no identity . I have no legacy. They ruined me

Kdog just because you have no interest in a financial legacy doest mean others don't.


Sad story... (none / 0) (#17)
by kdog on Fri Feb 06, 2015 at 02:18:50 PM EST

but still first world problems Cap'n.

And it sounds like that poor slob was just as victimized by the financial industry as he was by hackers. Fool me once, shame on you...fool me twice, shame on me.

It actually happened to my older bro a few months back. His bank account got hacked. Major inconvenience, because he had direct deposit he basically didn't get paid for a month while they sorted it out. The bank ate the loss to his account though. I told him to get his arse off direct deposit STAT and to keep some cash on hand and stop relying on debit cards. Everybody should ask themselves, if your bank account and credit cards got frozen tomorrow, can you buy food? If the answer is no, changes should be made.

This sh*t is part of the reason I live how I live...or more accurately, why I haven't changed how I do finances. Our corporate overlords don't give a sh*t, it's up to us to protect ourselves.


My SS check (none / 0) (#20)
by CaptHowdy on Fri Feb 06, 2015 at 02:48:53 PM EST

which is pretty much what I live on is direct deposited and is usually gone on a week after paying monthly bill. Not to worried about that. What little other money i have and where the money I get from my pension that's coming is going is in another account. In another bank. With no debit card connected to it.


Does SS even cut (none / 0) (#23)
by kdog on Fri Feb 06, 2015 at 03:18:03 PM EST

paper checks anymore? I know they're really pushing direct deposit, just like my boss.

But I'm still holding the line...I take cash, and I reluctantly take checks...f8ck direct deposit. That "convenience" comes at a potentially high price to your economic freedom. Just ask my brother!


: I'm surprised (none / 0) (#29)
by Ga6thDem on Fri Feb 06, 2015 at 05:39:25 PM EST

your boss has not gone to a pay card.

It can also do things like (none / 0) (#27)
by jbindc on Fri Feb 06, 2015 at 03:57:59 PM EST

Prevent you from getting a job, buying a house, renting an apartment, getting student loans, etc. Yes, those may be "first world problems", but we live in the first world, so they aren't just "inconveniences ".


Well, I'll let you all know if I get affected (none / 0) (#9)
by sarcastic unnamed one on Fri Feb 06, 2015 at 12:54:19 PM EST

by the hack. Fingers X'd nothing happens.

: Just minutes ago I got a phony AMX (none / 0) (#12)
by fishcamp on Fri Feb 06, 2015 at 01:53:16 PM EST

request to fill out all my info for them. My card has been hacked twice in the last three months, so I'm finally getting good at realizing the fake ones. I called AMX and sure enough it was a fake request for my info. She was surprised to find out that I already knew to forward the fake email request to spoof@americanexpress.com. Glad I caught it.

Hacking is going to be like (none / 0) (#16)
by jondee on Fri Feb 06, 2015 at 02:04:55 PM EST

performance enhancing drugs, with the technology of the crooks staying abreast of, or often just ahead enforcement..

And then of course, who's and putting all their trust in and watching the watchers?

As technological civilization advances, the Pandora's boxes just get bigger and bigger.

: I think the recent moves to classify (none / 0) (#18)
by CaptHowdy on Fri Feb 06, 2015 at 02:29:18 PM EST

the Internet a public utility may help. No facts to support that at all really but it seems to me that might come with some increased protection efforts as well as more aggressive pursuit of attackers.
One can hope.

Well, I'm waiting (none / 0) (#19)
by Ga6thDem on Fri Feb 06, 2015 at 02:37:23 PM EST

to see if we were one of the victims. I'm not worried about someone charging something to a credit card of which Anthem does not have on record anyway. I always worry that whoever will take my personal information and create all kinds of problems and people will think it is me doing it and not an identity thief. My bank has extra security and Anthem doesn't have that information either.

Lotsa Speculation in the Thread (none / 0) (#26)
by vicndabx on Fri Feb 06, 2015 at 03:47:04 PM EST

I would recommend the link Jeralyn posted, would dispel at least some of it.

Full disclosure: For those that don't already know, I work for {insert name here}

On the general topic of hacking, I would say it has less to do with the tools in place to prevent hack - there's only so much a router, firewall rules or software like McAfee can do. More important is the tenacity of the hacker(s). I read a book a number of years ago, Hacking Exposed. Most hacks are brute force ones (software that tries user logons/pwds repetetively) or brought about by confidence scams/phishing. There is also the ubiquitous embedded link in email which runs a program when clicked. I for one would loke to see tougher penalties for those that inflict the damage.

With all the recent breaches, Target, The Home Depot, The NY Times, etc. hopefully, those that do, will no longer romanticize the hacker and treat them as they should be treated, like criminals. Maybe we can get something accomplished then. Tougher penalties and worlwide coordination amingst internet authorities would be a great start, imo.

I wonder if all those data... (none / 0) (#30)
by unitron on Sat Feb 07, 2015 at 12:20:41 AM EST

...were stored on their system in encrypted or unencrypted form?