I received my third letter in as many years this morning from a business telling me that their network was breached and my personal information compromised. In this case, the business was Anthem, and I’m queasier about this one since the list of information possibly taken is the longest yet: names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email address and employment information - including income data.
Another scary note in the Anthem letter is this statement: “Anthem believes that this suspicious activity may have occurred over the course of several weeks beginning in early December 2014.” I have a few problems with this statement:
- First, this letter is dated March 22, 2015 and I received it via snail mail on March 31, 2015 – so while I heard about this breach when it was discovered (Jan. 29, 2015), I didn’t receive notice that I was possibly affected as a former member until more than 3 months later. Not to mention that it took them almost two month just to discover the breach (early December to late January).
- Second, the suspicious activity may have occurred over the course of several weeks – SEVERAL WEEKS – this means it was a sustained and undetected attack for a significant amount of time – an advanced persistent threat as we call it in the biz…one of the hardest to address with legacy (read: outdated) antimalware technology.
- Finally, there are an awful lot of qualifiers in this statement – and others – throughout the letter: “may have occurred” and “may have been impacted” – wait a minute, Anthem, are you telling me you don’t know what was taken or when?
Preview of Anthem's letter to their customers
Now, I don’t mean to imply that Anthem is doing anything different than any other business when it comes to cyberattacks – both in terms of detection, remediation and notification. My real point is that the *new* adage is true: you’re either a business that has been breached, or you just don’t know yet that it’s happened.
As was the case with my other similar experiences with Target and Home Depot, I’m being offered AllClear ID identity protection – this time for two years at no cost. I’m starting to have overlapping identity theft protection from all these businesses giving it to me for free because their networks – and my information – was compromised.
I have to say: I don’t feel this is enough anymore. I fully expect to get free protection at least once a year now from a business I have a relationship with that is breached. What I’d like to see is a more aggressive dialogue throughout the business community of how these can be prevented in the first place and what steps should be taken – layering cyber security solutions, encryption, better authentication, network and infrastructure security audits, etc. I want to feel like these companies are doing everything they can to protect me as their customer – and not just placating me with identity protection after the fact.
In this letter, Anthem also gives me “Fraud Prevention Tips” – which, while welcome and always good to reinforce to the general public, is a bit ironic given that they’re the ones who were breached. I have some tips for all businesses: preventing an attack in the first place will always be cheaper than remediating one after the fact. It’s time to invest more in network and infrastructure security and prioritize protecting your customers. While there will never be any silver bullet for 100% protection against cyber criminals, it’s time to dedicate more resources to this goal so I can stop getting these letters every few months…or maybe that’s just a pipe dream from someone who has to go sign up for more free identity protection now.
Find out how Cyren Web Security can help mitigate the risk of your business network being breached.
Or check out Cyren’s on-demand webcasts for further information about how to add an additional layer of protection:
Embedded AV or AS: Layering Security
Add a Threat Data Feed for Enhanced Cyber Threat Protection