Anthem breach dates back to December

As more details about the Anthem data breach come to light, sources close to the investigation say that Chinese state-sponsored hackers might be behind the attack.

Steve Ragan got ahold of a memo sent out by the company to its clients on Thursday, which says that “on January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

The company realized that they were victims of a “sophisticated cyber attack” on January 29, and immediately notified the FBI. The subsequent investigation discovered that query activity started on December 10, 2014, and continues sporadically until January 27, 2015.

Did they suspect they were targeted back in December? Is it just a coincidence that the domain, on which the breach notification was posted, was registered in December 2014 – only a few days after that first query? Or did Anthem simply set up a generic domain for future needs?

The memo repeats that no payment card or medical health treatment information was compromised – as far as they can tell. It’s still unknown how many databased records have been accessed by the attackers.

“The attack that occurred was highly sophisticated in nature and is what is called an APT – Advanced Persistent Threat. The attacker has a proficient understanding of the data platforms and successfully utilized valid database administrator logon information,” the company also shared.

In the meantime, two sources close to the investigation told Bloomberg that there is some evidence that suggests that the breach was executed by Chinese state-sponsored hackers.

Apparently, they could have been after medical data about potential future intelligence targets such as government and defense contractors’ employees. Blackmailing them with the revelation of potentially ruinous medical information could be a way for spies to access national security and trade secrets.

To be fair, people close to the investigation also told Bloomberg that “the final determination of the hackers’ identity could ultimately change” as the investigation is still young.

In the meantime, affected users should be careful of potential phishing attacks impersonating Anthem.

“In light of reports that actual medical history and information was not stolen, customers should request more information on how the organization knows that no medical records were compromised,” says Elise Yacobellis, Director of Global Development, (ISC)2.

“The impact of an identity breach is potentially more dangerous and harmful than that of a credit card breach,” pointed out Philip Casesa, director of IT/Service Operations, (ISC)2.

“Credit card breaches are quickly mitigated by issuing a new card and account number – a routine process for card-issuing banks. Even with massive credit card breaches, actual credit card fraud is low because banks are so adept at responding. Identity attacks, such as the one on Anthem, will likely have a longer lasting and more devastating impact. The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allow attackers to sell this information to other criminal operations. Other potential issues with identity breaches involve the ability for the hackers to commit massive fraud themselves by creating accounts with credit card companies or other financial institutions, causing the victim to cope with the fallout from such a violation for an extended period of time.”

“While Anthem will likely offer some protection services to their customers, potential victims shouldn’t wait. They may want to go ahead and activate credit freeze alerts, credit monitoring, and gather supporting financial and personal documentation for future issues,” he concluded.

Don't miss