Security Central: Anthem Reports New Data Breach, Prankster Foils White House
Anthem Health Insurance has reported a new data breach, this time affecting 18,500 members. Victims had their records (Social Security and Medicare identification data) emailed to the private email address of a staffer at a third-party vendor.
According to CNBC, Anthem was reportedly contacted about the breach by the consulting firm LaunchPoint Ventures back in June. Two months before that, LaunchPoint discovered that one of its employees had been involved in a case of identity theft, and further investigation discovered that the worker had “emailed a file with information about Anthem companies’ members to his personal email address,” a year ago.
This is the second major data breach for Anthem in two years. Back in July, the health insurer agreed to a $115 million settlement to resolve a class action lawsuit over a 2015 breach that compromised the personal information of nearly 80 million people. That agreement marked a new record for a cyber-breach.
In 2013, the company paid $1.7 million over a federal complaint that it failed to have proper online security measures, exposing the protected health information of more than 600,000 people. Not a great track record, guys.
So how can this sort of thing be prevented? Gaurav Banga, Founder and CEO of Balbix, says that businesses need to better assess risk of data exfiltration and malicious intent across the enterprise, including third party contractors.
“Specifically finding the data stores within the enterprise that have a high business impact and are at an increased likelihood from being attacked by infected devices or malicious users, can help predict and prevent such attacks, before they happen,” says Banga. “Continuous risk assessment and monitoring of the enterprise attack surface can reveal such risks proactively.”
Rich Campagna, CEO, Bitglass, is also a fan of the prevention method. “Whether it’s a careless auto-fill of an external email address in a file sharing prompt, or a malicious attempt to leak data, as it appears to be the case in this most recent Anthem breach, healthcare organizations must use technologies like data leakage prevention (DLP) to identify sensitive patient data and to build controls around when that data can be accessed and by whom,” says Campagna.
Campagna goes on to say that for this incident, simple rules could have been implemented that prohibit such a large volume of patient data from being shared outside the organization without internal approval.
Our second story takes a look at one of the White House’s recent shenanigans, this time coming from the outside. An “email prankster” in the UK managed to trick a number of White House officials into thinking he himself was a White House official. How? In one instance, this cyber schemer convinced the White House cybersecurity official that he was Jared Kushner and received that official’s private email address unsolicited (as reported by CNN).
“Tom, we are arranging a bit of a soirée towards the end of August,” the fake Jared Kushner wrote to the official White House email account of Homeland Security Adviser Tom Bossert. “It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening.”
Bossert responded: “Thanks, Jared. With a promise like that, I can’t refuse. Also, if you ever need it, my personal email is” (redacted).
The White House told CNN it was investigating the latest incident and took the issue very seriously. Tim Erlin, VP of product management and strategy at Tripwire, urges folks to recognize the seriousness of the matter.
“While these particular incidents were undertaken to be funny, the implications of how easily the individuals involved were entrapped should be clear,” says Erlin. “The difference between this prankster and a serious criminal is only in the disclosure of the results. A serious criminal wouldn’t’t have shared the outcome with the press. Email spearphishing is a big challenge for cybersecurity, and shouldn’t’t be taken lightly.”
Erlin goes on to say that traditionally, we’ve placed a higher level of scrutiny on communications with government officials because of the potential for disclosure. These ‘pranks’ demonstrate why that scrutiny is required. “A sophisticated criminal with a target in mind could use email as a channel to develop a more complete relationship and ultimately compromise much more sensitive information,” says Erlin.
With this incident in the press, it appears that the White House needs to take a very close look at email security and training their staff to recognize spearphishing attempts.
Our last story turns the spotlight on the energy sector. Apparently, there’s a new form of cyber-attack in town, and it’s got it’s sights set on power. Well, cutting it, that is. According to Infosecurity, the new attack vector apparently has the… power… to bypass all software defenses and cause power cuts and disrupt vital facilities.
Here’s how it works. A “lure” document masquerades as a curriculum vitae accompanying a harmless-seeming email. This type of spear-phishing attack is nearly impossible for the energy companies to identify due to the fact that the lure email and attached Word document are spotless, and contain no malicious code whatsoever. This makes them completely undetectable to incoming email monitoring defenses.
The “weaponized” Word document contains a template reference that, when the document is loaded, connects to an attacker’s server to download a Word template which can include embedded malicious payloads.
The new type of attack was discovered by Israeli cybersecurity company Cyberint. For now, the hackers are targeting U.S. and UK energy companies. The attack has potential to spread, so folks are taking action.
Elad Ben-Meir, CyberInt vice-president of marketing, speaks to the importance of immediate action. “Owing to the international nature of cybercrime and cyber-terrorism, UK energy companies should take immediate steps to protect themselves against these attacks as standard monitoring and filtering of incoming emails will be ineffective if this campaign starts to spread outside the US.”
The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.