Could same hackers be responsible for Premera and Anthem breaches?

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

Pre­dic­tions that 2015 would be a water­shed year for stolen health­care records are bear­ing out.

On Tues­day, health insur­er Pre­mera Blue Cross dis­closed that a cyber attack that com­menced in May 2014 result­ed in expo­sure of med­ical data and finan­cial infor­ma­tion of 11 mil­lion customers.

Stolen records includ­ed claims data and clin­i­cal infor­ma­tion, as well as finan­cial account num­bers, Social Secu­ri­ty num­bers, birth dates and oth­er per­son­al data.

The Pre­mera breach appears to involve a record num­ber of vic­tims for whom actu­al med­ical records are now cir­cu­lat­ing for sale in the cyber underground.

Records for some 80 mil­lion peo­ple were stolen from the nation’s no. 2 insur­er Anthem, dis­closed last month, and records for 4.5 mil­lion peo­ple were hacked from Com­mu­ni­ty Health Sys­tems, par­ent of 206 hos­pi­tals in 29 states, dis­closed last summer.

More: 7 steps to take if your health­care records are in the wild

But the Anthem and CHS breach­es involved the theft of per­son­al data only, not med­ical records. That’s split­ting hairs. Per­son­al and med­ical records are the build­ing blocks for the worst forms of iden­ti­ty theft.

With Anthem and Pre­mera, hack­ers not only got the skele­ton keys to lives, they got the key ring and the key chain,” says Adam Levin, chair­man and co-founder of iden­ti­ty and data risk man­age­ment con­sul­tan­cy, IDT911, which spon­sors Third­Cer­tain­ty. “Mem­bers and employ­ees who’s data was exposed — espe­cial­ly their SSNs — will be forced to look over their shoul­ders for the rest of their lives.”

Seat­tleites hit hard

More than half of the vic­tims — about 6 mil­lion Pre­mera patrons – reside in Wash­ing­ton state, includ­ing employ­ees of Ama­zon, Microsoft and Star­bucks. The rest are spread through the oth­er 49 states. These com­pa­nies now are prime tar­gets for spear phish­ing attacks.

It doesn’t take much imag­i­na­tion for a crim­i­nal to use stolen data to cre­ate spoofed accounts to come across as a trust­ed col­league to send viral email and social media posts to fel­low employ­ees as a way to breach any of these cor­po­rate networks.

On a low­er rung of crim­i­nal activ­i­ty, a whole gen­er­a­tion of scam­mers who’ve mas­tered fraud­u­lent online trans­ac­tion using stolen cred­it card account num­bers are ready to move to the next lev­el, observes Lisa Berry-Tay­man, senior pri­va­cy and gov­er­nance advi­sor at IDT911 Consulting.

Crim­i­nals learn,” says Berry-Tay­man. “The cred­it card thief steals the data, charges until the account is closed and the mon­ey is gone.   To steal more mon­ey over a longer peri­od of time, he or she  must think big­ger, and big­ger is iden­ti­ty theft.  Why just spend their mon­ey for a finite peri­od of time when you can become them and spend their mon­ey for years and years?”

The health­care indus­try has arisen as a tar­get because it has moved aggres­sive­ly to get rid of paper records and to col­lect, store and make use health­care data in dig­i­tal form. The goal: to boost pro­duc­tiv­i­ty. Trou­ble is the health­care indus­try, like many oth­er indus­tries, con­tin­ues to make the dig­i­tal push, includ­ing inten­sive use of the Inter­net cloud, with­out ade­quate­ly account­ing for secu­ri­ty basics, secu­ri­ty experts argue.

Health­care data at risk — a three-part series: Why med­ical records are easy to hack, lucra­tive to sell

Today’s Pre­mera breach news once again demon­strates the fail­ure of flawed, out­dat­ed assump­tions, an over-reliance on guard-the-entry-point secu­ri­ty and sim­plis­tic sin­gle-key encryp­tion schemes,” says Richard Blech, CEO, encryp­tion tech­nol­o­gy com­pa­ny Secure Chan­nels. “This is a quaint and dan­ger­ous approach to a 21st cen­tu­ry problem.”

Trent Telford, CEO of data secu­ri­ty com­pa­ny Cov­a­ta, agrees. “For many of these com­pa­nies, data secu­ri­ty has been an after­thought or some­thing they did not deem nec­es­sary,” Telford says. “How­ev­er this breach again high­lights how vul­ner­a­ble the health care and insur­ance indus­tries are to attacks. Peo­ple are entrust­ing these orga­ni­za­tions with their per­son­al infor­ma­tion and it is the respon­si­bil­i­ty of cor­po­ra­tions to take appro­pri­ate steps to ensure it is pro­tect­ed — this must include data encryption.”

Com­mon culprits?

Pre­mera is keep­ing details of how the breach was car­ried out close to the vest. The FBI and IT foren­sics spe­cial­ist Man­di­ant, a divi­sion of Fire­Eye, are investigating.

A good guess is that Pre­mera was the focal point of a tar­get­ed attack, says Josh Can­nell, mal­ware intel­li­gence ana­lyst at Mal­ware­bytes Labs.

A vast major­i­ty of cyber­at­tacks tar­get­ing enter­prise net­works orig­i­nate by attack­ers gain­ing access to inter­nal net­works through social engi­neer­ing tech­niques like phishing/spear phish­ing e-mails that close­ly resem­ble some­thing employ­ees are famil­iar with,” Can­nell says. “Once attack­ers have an access point inside an enter­prise net­work, they can then use priv­i­lege esca­la­tion tech­niques and install mal­ware to main­tain a pres­ence on the network.”

Can­nell says it’s plau­si­ble the same hack­ing col­lec­tive hit Anthem and Pre­mera. “Since the attack hap­pened around the same time as the Anthem breach, and was tar­get­ing a sim­i­lar orga­ni­za­tion, it seems rea­son­able to say the threat like­ly orig­i­nat­ed from the same actors,” Can­nell says.

More on emerg­ing threats

Cor­po­rate use of cloud apps spikes risk of breaches
Word­Press emerges as a cyber­crime hotbed
Mali­cious ads pose insid­i­ous, elu­sive threat

Posted in Data Breach, News & Analysis