Thursday, May 14, 2015

Jason Atchley : Data Security : Did One Poor Storage Decision Expose 80 Million Customers?

jason atchley

Did One Poor Storage Decision Expose 80 Million Customers?

By  | February 12, 2015
20150212-storageDecision_646x300Last week, Anthem – the nation’s second-largest health insurance company – joined an illustrious list. Unfortunately, it wasn’t a list an organization would want to be affiliated with, as it became the latest victim of a massive external cyberattack. The nature of the attack bears a close resemblance to the notorious recent Sony breach, as information such as names, birthdays, medical IDs, Social Security numbers, addresses, e-mail addresses and employment information and income data were compromised.
The extent of damages are still being assessed but interestingly enough, these cyber criminals were after a very specific set of data given that no medical or credit card records appear to have been tampered with. In a statement, Anthem’s CEO Tim Eades said, “The personally identifiable information they got is a lot more valuable than the fact that I stubbed my toe yesterday and broke it.” I found this statement quite interesting because it was an acknowledgment that Anthem recognized that their most valuable set of data is now in the wrong hands. Truth is, hackers are getting smarter, and they recognize exactly what data is most valuable to organizations.

 Where’s the encryption?

Another startling revelation is that Anthem stored the Social Security numbers of 80 million customers without encrypting them! Some pundits are arguing on behalf of Anthem that the organization was balancing between protecting the information and making it useful. But why does this have to be a compromise? By its nature, encryption scrambles the data to the point where hackers would be trying to piece together an unsolvable jigsaw puzzle involving millions of pieces. Anthem’s decision to not encrypt the data simply made reading the data for hackers easier. Anthem may have had their reasons, but given the vulnerable times we live in it is baffling that any organization would choose not to encrypt their customer’s data.
If my bank told me that access to my banking data would be slowed down in return for it being secured, guess what option I’d take? This shouldn’t be rocket science. There is no reason why secure technology should come at the expense of slower performance.

Does there need to be a trade-off?

One challenge organizations face in securing data is whether or not to diminish the customer experience in favor of tighter security. Perhaps part of the solution here is identifying “valuable data” vs “all data.”
Encrypting all your company data is expensive and could have implications to slow down your entire IT infrastructure. Choosing certain data sets to encrypt is smarter, and given that Anthem clearly had some idea as to what their valuable data was (see Tim Eades comment above), why did they choose not to encrypt it? And it is possible. As an example,  Imation’s Nexsan Assureon secure archive individually encrypts each file with its own AES-256 key to provide the strongest separation and security of data. Users can choose which files they do and do not want to encrypt, and in the process they’re protecting and encrypting valuable data while not impacting performance. Did Anthem miss the boat on that one?

What’s next?

Another attack. It’s imminent, and it’s anyone’s guess who the next victim will be. No one is safe, not even myself. In the past few weeks, I’ve been getting calls from mysterious caller IDs where reps claim I have outstanding loans (requiring immediate payoffs), have won a luxury cruise somewhere in the Bahamas, have a returned check from my bank, etc. I’m sure many of you get these calls too! It’s easy to ignore the BS claims, but it’s not so easy to ignore how these folks get our personal mobile numbers or e-mails to begin with. I can only hope that the organizations I trust my data with aren’t exposing me to similar risks!


No comments:

Post a Comment