2015 is still young, but the recent data breach may prove to be the year’s biggest. Anthem, the United States’ second-largest insurer, recently revealed hackers accessed the company’s database, compromising as many as 80 million customers’ records in the process.
Obviously, this is bad news for Anthem. But it’s also bad news for companies of all kinds. The scope and nature of this breach, as well as its aftermath, should be seen as representative of the growing value that customer data holds for cybercriminals, suggesting hackers will ramp up their cyberattacks in the coming months and years. To remain safe in this environment, organizations need to make information security awareness a top-level priority.
A massive breach
According to Vitor De Souza, a computer security expert, this represents the largest health care-related data breach ever to occur, the Indianapolis Star reported. The stolen data, which pertained to both current and former customers, contained a wide range of personally identifiable information. This included customers’ names, birth dates, Social Security numbers, street and email addresses and incomes.
“Anthem’s own associates’ personal information – including my own – was accessed during this security breach,” Anthem CEO Joseph Swedish wrote in a letter to customers. “We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”
Anthem emphasized that there is no evidence to suggest credit card numbers were exposed in the cyberattack. The hackers also did not access any clients’ medical information.
“Hackers now realize they can profit just as well from personally identifiable information as credit card numbers.”
While this may be seen as a silver lining, it also demonstrates just how much the realm of cybersecurity has evolved in the past few years. Hackers now realize they don’t need to target individuals’ finances directly via credit card number theft, nor do they need medical data – they can profit just as well from personally identifiable information. The hackers can use this data to commit identity theft and fraud, or they can sell the information on the black market to other criminals.
This means that the amount and variety of information that companies need to protect is growing, and hackers are becoming increasingly sophisticated and tenacious in their efforts to steal that data.
The devastating aftermath
Because no medical information was accessed, this breach does not constitute a HIPAA violation. However, that does not undercut the severity of the incident for Anthem. First and foremost, the company’s reputation has been undeniably and (likely) permanently damaged by the breach. This will almost certainly result in a major loss of business for years to come.
Making matters worse, other cybercriminals are now conducting an email scan aimed at individual affected by the breach. These phishing attacks purport to come from Anthem, but in reality are efforts to trick recipients into revealing credit card or Social Security numbers. These efforts will expand and extend the fallout from the data breach even longer.
Additionally, a number of affected customers have already filed lawsuits. As Fortune reported, these suits allege that Anthem did not take sufficient steps to protect its clients’ data from cyberthreats. The source noted that these suits, filed in Alabama and California, may eventually be consolidated with other complaints into a class action lawsuit.
Two lawsuits have been filed, and more are likely.Improving cyberdefenses
The lawsuits Anthem now faces focus primarily on the company’s failure to encrypt the customer data that was ultimately stolen. This is an important step, one that far more firms should embrace.
Additionally, organizations need to broaden information security awareness and training among employees and IT staff. Most hackers will choose their targets based on opportunity – opportunities that untrained workers create by failing to abide by best practices. By making information security awareness a priority throughout the organization, business leaders can vastly improve the overall quality of their cyberdefenses.