Thursday, February 5, 2015

Data stolen from Anthem could be an identity thief's dream

Wednesday night, insurance provider Anthem Inc. revealed that they had been the target of a cyber attack in which considerable personal identity information was taken. Ordinarily my response to the major breach notices in the news is "meh." When credit card information is stolen, it's easy enough to get a card replaced and watch for fraudulent charges. The media tends to over-hype such breaches because they affect a large number of people and make for good headlines, but in the end, the real effect on people like you and me is little more than the inconvenience of replacing a card and perhaps disputing a few easily-noticed fraudulent charges.

This is different.


According to the company web site, one in none Americans receives coverage for their medical care through Anthem's affiliated plans. Nearly as many more are served through its other divisions, including life insurance. All told, Anthem has nearly 69 million individuals in its systems - including adults as well as children.


Information stolen from Anthem includes social security numbers, birthdates, street addresses, email addresses, phone numbers, and employment information including income.

With a payment card breach, it is easy enough to replace a card. What do you do when your social security number is stolen? Or your birthdate? Put another way, what information do you use to open a banking or credit account? Your SSN, date of birth, street address, and sometimes employment information or income. Exactly the items that were stolen from Anthem.

In other words, the Anthem breach was an identity thief's dream come true.

This story is just now coming to light - it is not yet known how much data was actually taken, but information on all 69 80 million members of Anthem services were exposed.


Affected brands include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.


First the Bad News

This information could be used in many different ways. It could be used to open new financial accounts in your name. What does a bank, or retail credit card, or other financial institution typically ask for when opening a new account? Your social security number, date of birth, address, and possibly proof of income. What was stolen? You get the picture.

It could be used to craft ever more effective phishing messages. Phishing is an attempt to trick you into giving away valuable information, often by getting you to log into what you believe to be a legitimate site, thereby giving the attacker your username and password so they can log in to the actual site. By knowing information about you, a criminal could craft a message using information specific to you.

In some cases, the "password reset" questions for various accounts might be answered by information stolen from Anthem.

This information could be used to file fraudulent tax returns. Whether you will owe tax or be due a refund, a criminal could file a return in your name, with false income information guaranteed to give them a refund, leaving you on the hook to unravel the mess with the IRS. In fact, according to multiple news sources, this has already occurred, leading software maker Intuit to temporarily stop accepting electronic submissions of individual state tax returns through its popular TurboTax product.

Unlike passwords, credit card numbers, and other information commonly stolen, social security numbers and dates of birth don't change. The stolen information could be used just as effectively ten years from now, long after the free year of "credit monitoring" that almost every breached company offers runs out.


Reduce identity misuse with a Fraud Alert

For now, Anthem has created a web site to communicate information about this breach with its customers. As more information comes to light I will update this article. In the meantime, there is a very effective step you can take to reduce the risk of stolen information being used to impersonate you. By putting a Fraud Alert on your credit report, any bank or business that might issue credit in your name knows to verify it is actually you before opening an account; most often, that is by calling a phone number you have placed on your credit report. The below is reprinted from an earlier post on this blog:


Keep in mind that the information you use to verify your identity to the credit bureaus is in some part the same information that was stolen. It is not implausible that a determined attacker could convince the credit bureau that they are you, and remove your fraud alert or credit freeze, but most of us don't face a determined attacker specifically interested in us. Generally speaking, criminal hackers go for the easy prey. You don't have to outrun the bear, you just have to outrun the next-slowest person. A Fraud Alert or credit freeze accomplishes this.

Generally speaking, criminal hackers go for the easy prey. You don't have to outrun the bear, you just have to outrun the next-slowest person. A Fraud Alert or credit freeze accomplishes this.

Under US law you have several rights with each of the four best-known credit bureaus (yes, there is a fourth). The first is the right to obtain a copy of your credit report, once a year, from each company. I schedule a reminder every three months, to request a copy of my credit report from a different bureau each quarter.

The second right is to place an Initial Fraud Alert on your record. Note that you DO NOT have to be the victim of identity theft to have this right. Even if you suspect that your identity might be at risk (in other words, if you are breathing), you have the right to place an initial fraud alert on your record. This alert tells potential creditors that they must take additional steps to verify your identity before issuing you credit. Often, this means the creditor will call you - at the phone number listed in your credit report (not a number provided by a fraudster) - to ensure you are in fact the one requesting a new credit account.

An initial fraud alert stays on your record for 90 days, and you can renew it as often as you like, at no cost. Do this. Put an initial fraud alert on your record at all four agencies (see the links below), then put a reminder on your calendar to renew it every 90 days. 15 minutes every 3 months is an easy investment to make in light of the headache you may avoid.

In the event that you already are the victim of fraud, you can then request an extended fraud alert - the same idea but it lasts for 7 years instead of 90 days. The credit agencies require a police report substantiating that you have been the victim of identity theft.

The third option is a "security freeze." The different between an alert and a freeze is, an alert simply warns potential creditors to verify your identity before issuing credit, whereas a freeze denies access altogether. Potential creditors cannot even access your credit report, and thus will not grant credit. This is generally not a free option though - depending on your state and on the agency, there may be a fee to place a freeze on your report, and there may be a fee to "thaw" your report (for instance, if you legitimately want to open a new credit line).

Below are links to the fraud alert request pages for the major credit reporting agencies:


Update: Anthem's marketing website indicates they have "nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans," however the information they are giving on this breach is that the breached database contained information on about 80 million customers and employees.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.