John Sutter tries to figure out who to blame for the Anthem data breach
He was among the health care company's customers who was notified about the hack
Maybe you got the email, too?
It landed in my inbox at 1:58 a.m. on Thursday.
“To Our Members:
Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data.”
Nice to know.
“However, despite our efforts …
“…Anthem Blue Cross Blue Shield was the target of a very sophisticated external cyber attack.”
Wait, what the …
“These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, e-mail addresses and employment information, including income data.”
It’s not the first email you want to open in the morning.
The only consolation, I suppose, is that I’m far from alone. Anthem, which is the second largest health insurer in the United States, said on Thursday that as many as 80 million customer records were stolen.
The breach “ranks among the largest in corporate history,” writes CNNMoney.
I don’t know about the other 79,999,999 of you, but it’s a strange feeling (right?) to all of a sudden be part of a news story like this. We read about these data breaches all the time – from Home Depot, Target, Sony. Unless you’re connected to them personally, though, they tend to zip by, too numerous and massive to process. But when it’s your inbox, your data, something about it feels different. Yeah, that’s selfish. But it was enough of a motivator for me to call up a couple data security experts to dig into this a little bit.
My goal, like any vindictive jerk: Figure out who to blame.
The first, logical inclination, I figured, was to blame Anthem, itself.
Shouldn’t this company, with its Orwellian emails, have done more with its “state-of-the-art information security system” to try to prevent an attack?
Couldn’t it have implemented a super state-of-the-art system or something?
I found that view echoed by Paul Henry, a senior instructor at the SANS Institute, an information security training company. Henry told me he gets really annoyed when companies like Anthem claim that they were the victims of a “very sophisticated” hack. Most of the time, he said, they’re not sophisticated at all.
The hackers “don’t need to be bigger-better-faster because we’re not doing the basics” to protect customer data, he said. “That’s the saddest part of all of this. The vast majority of these incidents could have been completely prevented if (the companies who store data) had been doing the basics.”
Aha! Villain identified!
But, of course, it’s not quite so simple.
Even if you wanted to blame Anthem, proving the company acted negligently in protecting data could be tricky. Henry told me the U.S. Federal Trade Commission could find that Anthem failed to institute industry “best practices” – as defined by the industry, he said – and force them to pay a fine.
(If medical records were stolen, and there’s no indication they were, then HIPAA laws governing medical records could be used to levy fines, too, he said.)
Another school of thought, however, holds that hackers always will be able to break into secure systems. I called someone with that point of view and Avivah Litan, a cyber security analyst at Gartner, said she doesn’t think it’s fair to blame Anthem for the stolen data.
“They did the best they could,” she told me.
“It’s amazing they caught (the hack) on their own.”
Anthem also did the right thing by alerting me and other customers, she said. That will make it harder for the hackers to sell and then exploit the data, at least right now, while people are watching.
Plus, she said, and this is the argument that worked best on me, blaming Anthem doesn’t accomplish much for me the consumer. (Remember: we care about me here. I’m the one who got the email …) If your credit card data is stolen, she said, there are easy ways to rectify the situation. You call the bank and they refund the money, passing on costs to retailers. In the case of personal data breaches like this one, however, there’s essentially no one to blame. Or no one – no entity – who can help you.
“The government should really have some sort of agency where you just call up and you say, ‘I had this bad thing happen’ – and they’ll just fix it for you. And they’ll give you the money back,” she said.
“It ain’t never gonna work like that, but that’s the way it should be.”
Meanwhile, she said, this is a very serious hack.
If she were an Anthem customer, the hackers have “my name, social, date of birth, address,” she explained. “To me, and I’m a security expert, that’s worth more than a credit card. There’s all kind of damage that can happen … Someone could take over my Amazon account. They could call the call center and take money out of my 401(k). They could file a tax refund in my name. And all those things are really hard to recover from.”
“They could go out and create a fake driver’s license and commit a crime. They could take all that information and fake a birth certificate and go to the DMV …”
OK, we’ve got it.
So, back to the main question here: Who to blame?
Both security experts did share one answer: the Social Security number itself.
“We should simply publish everyone’s Social Security number (online) so it can’t be used, effectively,” by hackers, said Henry. If that number loses its value, no one would want to steal it.
Litan more or less agrees.
“You need to make this data useless when it’s stolen,” she said. “That’s the answer.”
I like this line of thinking. And Litan explained to me that there may be a way for health care companies, and other industries, to use a hard-to-crack proxy for a Social Security number in place of the real thing. If these companies never store our most-sensitive data in their records, then it’s of no use.
She cited Apple’s mobile payment system as a potential technological model.
Regulators should look to such technologies as they continue to figure out how to make consumer data safer. We’re helpless in this situation – unable to understand exactly how and where our data is being stored. And unlike email and social media accounts, where stronger passwords and two-step verification systems help, there’s no way consumers can rework the IT infrastructure of a major company like Anthem.
We’re basically at their mercy.
More needs to be done to protect us.
Whether that’s holding companies more accountable, as Henry suggests.
Or making this data worthless to criminals.
Otherwise, we’re left to end conversations with security experts like this.
“Good luck with your stolen identity!” Litan told me.
And then we hung up.