A foreign government may have been behind a cyber breach of health insurance company Anthem Inc. that compromised the records of more than 78 million consumers, investigators said Friday. They declined to identify the hackers or the foreign government.
Social Security numbers, birthdates and employment details of customers were accessed in the breach, officials said. Cybersecurity experts say the data could help a foreign government build a profile of people they’re targeting for espionage.
“Intelligence has become a data-mining exercise,” says Avivah Litan, a vice president and security analyst for Gartner Research. “The intelligence officer of 2017 needs a lot of data to find targets and get to the targets that they’re interested in.”
Anthem, the nation’s second-largest health insurer, has agreed to make $260 million in improvements to its information security systems as part of a settlement with insurance regulators in most U.S. states and territories.
The company will also provide credit protection to consumers whose information was compromised.
The insurer is licensed in all 50 states and conducts business under brands including Blue Cross Blue Shield, Unicare, CareMore, and Amerigroup.
Investigators from the cybersecurity firm CrowdStrike identified the attackers with “high confidence” and concluded with “medium confidence” that they were working for a foreign government, according to a report released by California Insurance Commissioner Dave Jones.
“We do not have information as to the motive of those that were behind this cyber-attack, but the volume of information and the kind of information taken is very troubling,” Jones says.
A finding of high confidence means the information is verified by multiple sources or a single highly reliable source. Medium confidence means the information is open to multiple interpretations or not reliable enough to warrant higher confidence.
Federal law enforcement officials requested that Jones not identify the foreign government due to an ongoing investigation, says Madison Voss, a spokeswoman for the insurance department.
Previous attacks by that same government have not resulted in personal information being sent to non-governmental entities, CrowdStrike says in its report.
Foreign spy agencies amass as much data as possible from various data breaches to identify espionage targets, gain leverage over them and hone their approach, cyber security experts say.
For example, a security-conscious engineer at a defense contractor would be more likely to open a nefarious email if it appeared to be from his child’s teacher and referenced her by name, Litan says.
“The nation-states that are targeting U.S. companies and U.S. government have taken a big data approach to this information,” says Erik Rasmussen, cyber practice leader for Kroll, a risk-management firm. “They don’t know if this is valuable now, but it might be valuable in five years so they amass it now while they can.”
Foreign governments don’t use hacked data to steal identities on a large scale, Rasmussen said, but rogue operatives have on occasion used the data for criminal activity.
Investigators say intruders cracked Anthem’s database in February 2014 with a phishing email and evaded multiple layers of security. The hackers eventually gained remote access to at least 90 systems within the Anthem enterprise.
California insurance commissioners concluded that shortfalls in Anthem’s security protocols were typical for a company of its size and declined to issue fines or other punishment. They said the company responded promptly, ejecting the cyber intruders within three days and notifying affected customers.
Anthem notified the public and its customers through mail, e-mail, news releases, website postings and state regulators, the report says.
A lawsuit filed by customers who say they were affected by the breach paints Anthem as a ripe target for hackers. It says the insurer allowed wide employee access to its database and didn’t train workers on the handling of phishing emails.
Anthem discovered the cyber breach a year ago and said it included the records of at least 12 million minors.
Anthem spokesman Darrel Ng says the insurer has cooperated with insurance regulators since the breach was discovered.
“Anthem takes the security of its information and the personal information of consumers very seriously and is committed to protecting the data of its customers,” Ng says in an emailed statement.
Kristin J. Bender in San Francisco contributed to this report.