Dive Brief:
- An expert at Tripwire.com believes Anthem may have been the victim of a simple login theft, causing the massive personal information exposure reported last week.
- The AP reported that hackers gained access to accounts used by five different Anthem tech employees. Tripwire security blogger Ken Westin believes that they fell victim to a common phishing scam, allowing hackers to get their email addresses—the first step to any organized hack.
- "What may be a key weakness here is that it appears there were no additional authentication mechanisms in place, only a login/password or key, with administrative level access to the entire data warehouse," Westin wrote. "Anthem's primary security sin may not have been the lack of encryption, but instead improper access controls. Although it appears the user data was not encrypted, in Anthem's defense if the attackers had admin level credentials encryption would have been moot anyway."
Dive Insight:
Wait... what? Anthem Inc., one of the largest players in the health IT field, had a single-tiered access model for their entire database of patient information? From the technical standpoint, that's the equivalent of saying that one of the largest healthcare patient data networks on the planet has essentially the same access protection as Aunt Mabel’s AOL account.
Like Westin said, encryption of data can't protect it when free access to the entire network can be granted by hacking a single user's password. To illustrate the egregious nature of this security error, let's turn back to a 1994 column written by magician Penn Jillette, a computer expert who has written tech columns for Computerworld, among others.
In this archival piece, he described how AT&T/Bell Labs' entire network was shut down by an ingenious hacker who simply called a network administrator at his desk and said, "Hi, this is Ken. What's the root password?" That was 20 years ago—an eon in the technology lifecycle—and it may be essentially the same strategy used to hack Anthem. Two decades ago, the industry learned that protecting a network meant that access needs to be tiered, with certain access levels for different workers, and multiple security levels offering access to particularly sensitive data only to those higher up the food chain. Anthem may have neglected that lesson.