The impact of an identity breach is potentially more dangerous and harmful than that of a credit card breach. Credit card breaches are quickly mitigated by issuing a new card and account number – a routine process for card-issuing banks. Even with massive credit card breaches, actual credit card fraud is low because banks are so adept at responding. Identity attacks, such as the one on Anthem, will likely have a longer lasting and more devastating impact. The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allow attackers to sell this information to other criminal operations. Other potential issues with identity breaches involve the ability for the hackers to commit massive fraud themselves by creating accounts with credit card companies or other financial institutions, causing the victim to cope with the fallout from such a violation for an extended period of time.
While Anthem will likely offer some protection services to their customers, potential victims shouldn’t wait. They may want to go ahead and activate credit freeze alerts, credit monitoring, and gather supporting financial and personal documentation for future issues. These items are key for victims to protect themselves from a potential identity theft situation.
-Philip Casesa, CISSP, CSSLP, director of IT/Service Operations, (ISC)²
New attacks warrant new approaches to securing not just the data of an enterprise, but the intimate details about the lives of millions. The constant tit-for-tat between attackers and defenders may seem tiring to a public who depends on technology to just work, but the correct response is still an integrated strategy incorporating recognized cybersecurity frameworks, judicious and regular accounting of risk and access by trained experts, and the diligent application of tools, policy and practices to secure information systems. It is further important to apply this cycle not just once, but on an ongoing basis as the value of data increases, the means of exploitation expand and the mechanisms of authorized access mushroom and accelerate.
-Noah Gray, CISSP, CSSLP, Senior Manager of Enterprise Architecture, (ISC)²
They say that, “Based on what they know now…”, there is no evidence that credit card or medical information was taken. However, it will be interesting to see what the investigation uncovers. Obviously, all current and former Anthem members need to immediately begin monitoring their financial accounts for any type of unauthorized activity, and check with Anthem for updates on potential credit monitoring services that will inevitably be offered at some point soon. Other healthcare institutions should also take notice, and begin assessing their systems for any breaches that may have occurred to help prepare for similar attacks in the future. A large healthcare company such as Anthem is a very attractive target to cyberattacks due to the large number of customers and the wealth of valuable Personally Identifiable Information (PII) and Protected Health Information (PHI) available.
-Dan Waddell, CISSP, CAP, Managing Director, National Capital Region, (ISC)²
This seems like a targeted attack focused upon obtaining valuable PII and PHI. Since it is early in the investigation of this breach, Anthem may discover that more sensitive information has been compromised. That may include credit card information, health records related to medical tests and claims. Current and former Anthem members need to remain vigilant by monitoring their credit reports, bank accounts and all other financial accounts, as the attackers had access to Social Security numbers, addresses, date of births and income information.
-Justin Warniment, CISSP-ISSEP, ISSMP, Senior Manager, Professional Programs Development, (ISC)²
In light of reports that actual medical history and information was not stolen, customers should request more information on how the organization knows that no medical records were compromised.
In general, those who were affected by this massive breach should be vigilant with their credit reports, ratings and scores. Credit reporting, which should be available for free from Anthem following this incident, can be used to determine if a criminal has opened a new line of credit, applied for a job, purchased or sold a home or other asset using someone else’s identity. This type of crime is often the result of a personal identity theft/breach. If fraudulent activity is identified early, the victim can alert credit bureaus and potentially thwart further damage to personal identity.
These comments are not intended to scare victims of this attack, but rather to provide guidance to protect and safeguard their identities. This incident should also serve as a reminder for consumers to follow such preventative measures to safeguard their information on a regular basis.
-Elise Yacobellis, CSSLP, Director of Global Development, (ISC)²