Excellus Blue Cross and Blue Shield, a Rochester, N.Y. based insurer, disclosed on Wednesday afternoon that it was the victim of a sophisticated cyber attack by hackers who may have gained access to over 10 million personal records.
David Gibson, VP of Strategy and Market Development, Varonis comments;
Excellus is currently saying there’s no evidence that the information was “removed.” Who are we kidding here? The hackers were just browsing around for kicks? The reality is that they probably have no idea what happened or what was stolen and never will. This would come as no surprise to anyone, and doesn’t sound much different than the major cyber attacks that we have more information on.
In the case of the notorious Anthem data breach, thieves were outsiders who were able to stealthily get a hold of employee credentials to access files. And we’d be willing to bet that’s exactly what happened here.
While CIOs and security professionals may feel safe with large investments in firewalls, virus detection and other perimeter defenses, the on-the-ground reality is that today’s hackers continue to get better at their jobs and will easily get around these protections through a virtual side-door without ever being spotted.
To the poor IT admin monitoring a system during a typical breach like this, the hackers’ activities would have appeared as an employee browsing the web.
We might as well be giving bank robbers an employee badge and a keycard to the safe deposit boxes. And in our experience we have found that healthcare, an industry that is responsible for a wealth of sensitive data of various kinds, is surprisingly bad at this. In a study we conducted with the Ponemon Insitute earlier this year, 65% of employees in the health and pharma industries believe they have access to sensitive data they don’t need to do their jobs, with 51% believing they see this data at least frequently.
So, the compromise of just a few, or even one, employee account opens a hacker up to a wealth of sensitive information.
It’s time for organisations to shift priorities and assume that some of their employees (and even their administrators and executives) will be duped into giving up information (like their password) and/or downloading malicious code. If an attacker steals an employee’s password (and you’re not using multi-factor authentication) then the attacker gets access to wherever they can use the password – any external or public-facing systems or applications where the employee used the same password are easily accessible.
Mike Spykerman – Vice President of Product Management, OPSWAT commented further that;
“The Excellus attack occurred back in December 2013 and went undetected until now. Unfortunately, Advanced Persistent Threats (APT) are capable of eluding single anti-malware defenses and staying under the ‘malware radar’ by lying in wait before executing their payload or by utilizing otherwise harmless files or processes. By implementing multiple layers of defense and using a multi-scanning solution that combines different detection algorithms and heuristics of multiple anti-malware engines, as well as other preventive measures such as data sanitization, many more advanced threats can be detected and a company’s exposure greatly diminished.”
Simon Crosby – CTO and Founder, Bromium concluded stating,
That the company only discovered the breach almost a year and a half after it took place is indicative of a naïve attitude toward security. It is unforgivable that any organization should be so lackadaisical in its handling of customer data at a time when it is entirely possible to prevent breaches from happening in the first place, or to detect anomalous behavior in the network to indicate a breach in progress.