Anthem hack: Personal data stolen sells for 10X price of stolen credit card numbers

06.02.2015
The hackers who stole personal data from health insurer Anthem stand to make a whole lot more than the ones who stole 56 million credit and debit card numbers from Home Depot because the potential payback per identity is so much greater.

"Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x in price on the black market," says Martin Walter, senior director at RedSeal.

+ Also on Network World: Insurance giant Anthem discloses huge customer and employee data breach |Breaches are a personal nightmare for corporate security pros +

That could be a conservative estimate, according to a report by PwC called "Managing cyber risk in an interconnected world: Key findings from The Global State of Information Security® Survey 2015."

"A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each," the report says.

The price differential is due to the ability to use identity information birth dates, Social Security numbers, addresses, employment information, income, etc. to open new credit accounts on an ongoing basis rather than exploiting just one account until it's canceled.

But that's not all. "The information attackers were able to access from Anthem are key pieces of data that can be used to access someone's financial records," says Eric Chiu, president & co-founder of Hytrust, making it possible to find and drain individuals' personal cash reserves.

It's not known exactly how many Anthem customers' data was stolen, but the company has 37.5 million subscribers plus another 68 million served by its affiliates.

Water says this type of massive theft from a health provider should have been expected. "It was only a matter of time until hackers found out that it's much easier to go after Social Security numbers and personally identifiable information with healthcare providers, which in comparison spend significantly less on security, making them tentatively easier targets."

While health organizations do spend less on security in general than some other markets such as finance, they are making strides, according to PwC; their security spending in 2014 was up 66% last year over 2013.

Last year, healthcare providers and payers reported a 60% increase in detected incidents resulting in financial losses jumping 282% over 2013. The possible explanation: attackers are targeting healthcare entities for their patient health data.

While health industry providers are boosting security spending, they may not be doing so in order to protect existing customer data, PwC says. Rather it may be to secure the blossoming number of new health-monitoring devices that help comprise the Internet of Things. "Consider that almost half (47%) of healthcare provider and payer respondents say they have integrated consumer technologies such as wearable health-monitoring devices or operational technologies like automated pharmacy-dispensing systems with their IT ecosystem," according to the PwC report.

The attack was detected last week when a systems administrator saw a database query he hadn't initiated was being run using his ID, according to a report in the Wall Street Journal. The stolen data was found stored in a Web-storage cloud service and secured. But it was uncertain whether the thieves had already backed it up from there to another location, the report says.

"Statements indicating that the company immediately made every effort to close the security vulnerability suggest that a known vulnerability was exploited in the corporate web environment or that a payload was delivered via spear phishing to employees but was easily corrected once identified as the point of entry," says Adam Meyer, chief security strategist at SurfWatch Labs.

The breach was reported to HITRUST Cyber Threat Intelligence and Incident Coordination Center, a health industry alliance to better prepare healthcare organizations for dealing with security. "Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation," HITRUST says.

Anthem has also hired Mandiant to evaluate its systems, according to Anthem CEO Joseph R. Swedish in an online letter to the company's customers.

The incident should serve as a wake-up call. "If the healthcare sector doesn't get the message that they are storing treasure troves of information and are not doing enough to protect it, I can only hope consumers and companies who provide healthcare plans speak with their wallets and work with healthcare providers that go above and beyond to protect the most personal of an individual's information," says Sean Mason, vice president of Incident Response at Resolution1 Security.

"This attack is 1.0 for major league healthcare," says from Tim Eades, CEO of vArmour.

(www.networkworld.com)

Tim Greene