http://www.nbcnews.com/news/us-news/anthem-major-health-insurer-suffers-hack-attack-n300511
QuoteThe FBI is investigating a potentially massive computer hacking attack on Anthem, Inc., one of the nation's largest health insurance companies, a federal official told NBC News late Wednesday. The company confirmed the attack.
"Cyber attackers executed a very sophisticated attack to gain unauthorized access to one of Anthem's IT systems and have obtained personal information relating to consumers and Anthem employees who are currently covered, or who have received coverage in the past," company spokeswoman, Kristin Binns, said in a statement.
The company said the hacked database contains 80 million records but they anticipate the actual number individuals affected will be lower.
"Anthem's initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible," said Paul Bresson, an FBI spokesman.
The information accessed included names, birthdays, Social Security numbers, street addresses, email addresses and employment information, such as income data, Binns said.
"No credit card banking or financial information was compromised, nor is there evidence at this time that medical information such as claims, test results, or diagnostic codes were targeted or obtained," she said.
The company serves customers in 14 states, including New York and California.
"As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation," Binns said, adding that the company had retained Mandiant, a leading cybersecurity firms, "to evaluate our systems and identify solutions."
U.S. Rep. Michael McCaul, R-Texas, chairman of the Committee on Homeland Security, released a statement following the hack on Anthem, saying it illustrated why stronger cybersecurity laws are needed.
"This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information," said McCaul. "I will lead this effort with other committees in the house and senate to ensure we move forward with greatly needed cybersecurity legislation as soon as possible."
The first time I read the title, I thought it was "health insurer suffers heart attack".
Quote from: Monoriu on February 05, 2015, 03:22:55 AM
The first time I read the title, I thought it was "health insurer suffers heart attack".
Me too.:P
Same here.
Me too
Company fails to invest in proper cybersecurity mechanisms.
Company gets hacked.
Company apologizes and promises to do better.
Company fails to invest in proper cybersecurity mechanisms.
I thought you would like it. :hug:
Don't even know why this is news anymore, actually. Companies are not held accountable: not by the public, not by government, not even by their shareholders.
Quote from: CountDeMoney on February 05, 2015, 08:42:43 AM
Don't even know why this is news anymore, actually. Companies are not held accountable: not by the public, not by government, not even by their shareholders.
Michael McCaul says it is the Government's fault for making it illegal to share information.
Quote from: CountDeMoney on February 05, 2015, 08:42:43 AM
Don't even know why this is news anymore, actually. Companies are not held accountable: not by the public, not by government, not even by their shareholders.
How would you like the government to hold them responsible?
Quote from: jimmy olsen on February 05, 2015, 09:33:35 AM
Quote from: CountDeMoney on February 05, 2015, 08:42:43 AM
Don't even know why this is news anymore, actually. Companies are not held accountable: not by the public, not by government, not even by their shareholders.
How would you like the government to hold them responsible?
Fines.
And go fuck yourself.
Quote from: Valmy on February 05, 2015, 08:44:57 AM
Quote from: CountDeMoney on February 05, 2015, 08:42:43 AM
Don't even know why this is news anymore, actually. Companies are not held accountable: not by the public, not by government, not even by their shareholders.
Michael McCaul says it is the Government's fault for making it illegal to share information.
He has a point, and not just the one on his head. But he's doing it wrong.
Quote from: CountDeMoney on February 05, 2015, 09:37:53 AM
Quote from: jimmy olsen on February 05, 2015, 09:33:35 AM
Quote from: CountDeMoney on February 05, 2015, 08:42:43 AM
Don't even know why this is news anymore, actually. Companies are not held accountable: not by the public, not by government, not even by their shareholders.
How would you like the government to hold them responsible?
Fines.
Seems fair if they are found to not have taken reasonable prevention measures. After all, they are asking to use gov't resources to find the perpetrators.
They definitely dressed as sluts, I agree.
Quote from: The Brain on February 05, 2015, 01:13:20 PM
They definitely dressed as sluts, I agree.
Has it been shown that wearing a longer skirt actually prevents rape? :unsure:
Quote from: garbon on February 05, 2015, 01:18:23 PM
Quote from: The Brain on February 05, 2015, 01:13:20 PM
They definitely dressed as sluts, I agree.
Has it been shown that wearing a longer skirt actually prevents rape? :unsure:
You're asking for a friend? :unsure:
I only wear long skirts in winter. -_-
Quote from: garbon on February 05, 2015, 01:12:18 PM
Quote from: CountDeMoney on February 05, 2015, 09:37:53 AM
Quote from: jimmy olsen on February 05, 2015, 09:33:35 AM
Quote from: CountDeMoney on February 05, 2015, 08:42:43 AM
Don't even know why this is news anymore, actually. Companies are not held accountable: not by the public, not by government, not even by their shareholders.
How would you like the government to hold them responsible?
Fines.
Seems fair if they are found to not have taken reasonable prevention measures. After all, they are asking to use gov't resources to find the perpetrators.
Same as someone who leaves their car unlocked and then it gets stolen--they're still going to report the theft and hope the cops catch he thieves and get their car back. We don't fine them for having left it unlocked (not that locking it would stop anyone who knows what they're doing from being able to steal it anyway).
Quote from: dps on February 05, 2015, 02:45:39 PM
Quote from: garbon on February 05, 2015, 01:12:18 PM
Quote from: CountDeMoney on February 05, 2015, 09:37:53 AM
Quote from: jimmy olsen on February 05, 2015, 09:33:35 AM
Quote from: CountDeMoney on February 05, 2015, 08:42:43 AM
Don't even know why this is news anymore, actually. Companies are not held accountable: not by the public, not by government, not even by their shareholders.
How would you like the government to hold them responsible?
Fines.
Seems fair if they are found to not have taken reasonable prevention measures. After all, they are asking to use gov't resources to find the perpetrators.
Same as someone who leaves their car unlocked and then it gets stolen--they're still going to report the theft and hope the cops catch he thieves and get their car back. We don't fine them for having left it unlocked (not that locking it would stop anyone who knows what they're doing from being able to steal it anyway).
Well thanks for demolishing your own argument. :D
There's nothing you can really do to keep a professional from stealing your car off of a parking lot if he wants it badly enough. But locking is still an appropriate security measure--it at least at least helps to deter the amateurs a bit.
Quote from: dps on February 05, 2015, 03:06:33 PM
There's nothing you can really do to keep a professional from stealing your car off of a parking lot if he wants it badly enough. But locking is still an appropriate security measure--it at least at least helps to deter the amateurs a bit.
We seem to have increasingly companies not taken measures that could prevent a lot of these instances but perhaps aren't doing so because of the cost. Maybe it is just rosy memories (and poorer reporting previously) but it feels like all the time now I get notices of how my personal info has been leaked or stolen.
This seems a rather big issue given that it is personal information and in this most recent example something that you pretty much need to have in the US (health insurance) as opposed to say a credit card. Given the importance / impact this could have on the general public, it seems like the gov't ought to do something if major corporations are not.
All that said, perhaps major corporations are taking all of the reasonable precautions that are needed and this really just is the work of professionals who will get in no matter what.
I think a better analogy would be to say that these are companies that are making cars that don't have locks (or have defective locks), not that it is users of the cars not locking (which can also happen, but will typically result in small data breaches).
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
Quote from: garbon on February 05, 2015, 03:36:40 PM
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
What does it matter?
Quote from: The Brain on February 05, 2015, 03:38:56 PM
Quote from: garbon on February 05, 2015, 03:36:40 PM
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
What does it matter?
Your statement is irrelevant if most of the attacks aren't actually very sophisticated.
Quote from: garbon on February 05, 2015, 03:36:40 PM
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
"Our security precautions are so lacking, a rank amateur using a 386 and a 28K external modem could completely steal all of our data in about 60 seconds." Yeah, not something they are going to say.
OTOH, I don't really know enough about cybersecurity to know what precautions are and aren't reasonable (beyond really basic things like "Don't use "PASSWORD" as your password"), nor how hard or easy even good security is to get around.
Fucking Garbon sucks at thread naming even worst than Jacob.
And that's saying a lot.
Quote from: Siege on February 05, 2015, 03:43:31 PM
Fucking Garbon sucks at thread naming even worst than Jacob.
And that's saying a lot.
If you take issue with the headline, you can take it up with Pete Williams of NBC News.
Quote from: garbon on February 05, 2015, 03:40:47 PM
Quote from: The Brain on February 05, 2015, 03:38:56 PM
Quote from: garbon on February 05, 2015, 03:36:40 PM
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
What does it matter?
Your statement is irrelevant if most of the attacks aren't actually very sophisticated.
Why do you believe the statement is irrelevant if most attacks aren't very sophisticated?
Quote from: garbon on February 05, 2015, 03:45:05 PM
Quote from: Siege on February 05, 2015, 03:43:31 PM
Fucking Garbon sucks at thread naming even worst than Jacob.
And that's saying a lot.
If you take issue with the headline, you can take it up with Pete Williams of NBC News.
Strawman!!11
Quote from: The Brain on February 05, 2015, 03:51:50 PM
Quote from: garbon on February 05, 2015, 03:40:47 PM
Quote from: The Brain on February 05, 2015, 03:38:56 PM
Quote from: garbon on February 05, 2015, 03:36:40 PM
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
What does it matter?
Your statement is irrelevant if most of the attacks aren't actually very sophisticated.
Why do you believe the statement is irrelevant if most attacks aren't very sophisticated?
You statement posits that companies can't be expected to protect against very sophisticated attacks. If the attacks are not very sophisticated, then who cares about that?
Quote from: garbon on February 05, 2015, 03:58:06 PM
Quote from: The Brain on February 05, 2015, 03:51:50 PM
Quote from: garbon on February 05, 2015, 03:40:47 PM
Quote from: The Brain on February 05, 2015, 03:38:56 PM
Quote from: garbon on February 05, 2015, 03:36:40 PM
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
What does it matter?
Your statement is irrelevant if most of the attacks aren't actually very sophisticated.
Why do you believe the statement is irrelevant if most attacks aren't very sophisticated?
You statement posits that companies can't be expected to protect against very sophisticated attacks. If the attacks are not very sophisticated, then who cares about that?
You're not making any sense.
Quote from: The Brain on February 05, 2015, 04:01:40 PM
Quote from: garbon on February 05, 2015, 03:58:06 PM
Quote from: The Brain on February 05, 2015, 03:51:50 PM
Quote from: garbon on February 05, 2015, 03:40:47 PM
Quote from: The Brain on February 05, 2015, 03:38:56 PM
Quote from: garbon on February 05, 2015, 03:36:40 PM
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
What does it matter?
Your statement is irrelevant if most of the attacks aren't actually very sophisticated.
Why do you believe the statement is irrelevant if most attacks aren't very sophisticated?
You statement posits that companies can't be expected to protect against very sophisticated attacks. If the attacks are not very sophisticated, then who cares about that?
You're not making any sense.
Thanks, g. :rolleyes:
Quote from: garbon on February 05, 2015, 03:11:31 PM
Quote from: dps on February 05, 2015, 03:06:33 PM
There's nothing you can really do to keep a professional from stealing your car off of a parking lot if he wants it badly enough. But locking is still an appropriate security measure--it at least at least helps to deter the amateurs a bit.
We seem to have increasingly companies not taken measures that could prevent a lot of these instances but perhaps aren't doing so because of the cost. Maybe it is just rosy memories (and poorer reporting previously) but it feels like all the time now I get notices of how my personal info has been leaked or stolen.
This seems a rather big issue given that it is personal information and in this most recent example something that you pretty much need to have in the US (health insurance) as opposed to say a credit card. Given the importance / impact this could have on the general public, it seems like the gov't ought to do something if major corporations are not.
All that said, perhaps major corporations are taking all of the reasonable precautions that are needed and this really just is the work of professionals who will get in no matter what.
When it comes to retailers, I still say the best way to protect customers' data is to not collect it in the first place. They don't need it.
Health insurance is a different story though. It's actually illegal for them to share the data under HIPAA, but I don't know if that applies if the share it involuntarily. But obviously they do need to collect it.
Incidentally, I bet at least half of the posters on this board are covered by Anthem in one form or another.
Quote from: MadImmortalMan on February 05, 2015, 04:11:54 PM
When it comes to retailers, I still say the best way to protect customers' data is to not collect it in the first place. They don't need it.
That's technically true for most cash purposes, but not if the retailer accepts checks and debit/credit cards. Also, there are some sales in which the retailer is required to get customers' data--firearms sales, for example--and other transactions in which it is necessary for other reasons, such as warranty registration.
Quote from: garbon on February 05, 2015, 04:02:17 PM
Quote from: The Brain on February 05, 2015, 04:01:40 PM
Quote from: garbon on February 05, 2015, 03:58:06 PM
Quote from: The Brain on February 05, 2015, 03:51:50 PM
Quote from: garbon on February 05, 2015, 03:40:47 PM
Quote from: The Brain on February 05, 2015, 03:38:56 PM
Quote from: garbon on February 05, 2015, 03:36:40 PM
Quote from: The Brain on February 05, 2015, 03:15:39 PM
Companies won't realistically be able to protect themselves against "a very sophisticated attack" when it comes to systems that cannot be completely isolated.
Do you think a company spokesperson would say an attack wasn't "sophisticated"?
What does it matter?
Your statement is irrelevant if most of the attacks aren't actually very sophisticated.
Why do you believe the statement is irrelevant if most attacks aren't very sophisticated?
You statement posits that companies can't be expected to protect against very sophisticated attacks. If the attacks are not very sophisticated, then who cares about that?
You're not making any sense.
Thanks, g. :rolleyes:
:mad: I'm white and... er... not gay.
I suppose grumbles was gay once until homosexuals stole the term.
Quote from: garbon on February 05, 2015, 04:41:52 PM
I suppose grumbles was gay once until homosexuals stole the term.
I doubt it. The Sioux called grumbler Anger-With-Long-Legs.
The ancient Medes say that Ahura Mazda removed the rage from the eternal fire so that it would only be a source of warmth and love. But he had to put the rage somewhere, so he put it in grumbler.
Quote from: dps on February 05, 2015, 03:42:34 PM
"Our security precautions are so lacking, a rank amateur using a 386 and a 28K external modem could completely steal all of our data in about 60 seconds." Yeah, not something they are going to say.
OTOH, I don't really know enough about cybersecurity to know what precautions are and aren't reasonable (beyond really basic things like "Don't use "PASSWORD" as your password"), nor how hard or easy even good security is to get around.
From Hacker News:
QuoteHaving spent almost 4 years in healthcare IT. Very few healthcare organizations take security seriously. There is very much a security by anonymity ideal. I worked for a small medical company that had access to 20,000 PHI records, and I was explicitedly told, "why would anyone want to hack us, we are small potatoes." I left that company shortly there after.
Yet companies I work with now big and small look at security as just a bunch of checkboxes on a government audit form. As long as upper management continue to see security as a cost loss center, and continue to only do the minimum nessissary to pass said audits. These breaches will continue to happen.
Quote from: Baron von Schtinkenbutt on February 05, 2015, 06:32:11 PM
From Hacker News:
QuoteHaving spent almost 4 years in healthcare IT. Very few healthcare organizations take security seriously. There is very much a security by anonymity ideal. I worked for a small medical company that had access to 20,000 PHI records, and I was explicitedly told, "why would anyone want to hack us, we are small potatoes." I left that company shortly there after.
Yet companies I work with now big and small look at security as just a bunch of checkboxes on a government audit form. As long as upper management continue to see security as a cost loss center, and continue to only do the minimum nessissary to pass said audits. These breaches will continue to happen.
Funny, when I say it, Berkut gives me a ration of shit.
Yep. That's the problem with most organization and their IT departments. They see it as a cost center. A lot of them actually have the head of IT report to somebody in finance. Stupid.