Anthem Attack Looks Like The Work Of Chinese Hackers

The massive data breach at health insurer Anthem appears to be the work of Chinese state-sponsored hackers who may have been searching for material to use in blackmailing government employees, Bloomberg reported on Thursday (Feb. 5).

The breach, which lasted for almost seven weeks and was made public by the company late Wednesday, exposed Social Security numbers, birth dates and income data, but apparently not payment card or medical information, for 80 million Anthem customers. Anthem is the second-largest health insurer in the U.S.

Sources close to the investigation said technical details of the attack match the pattern of a state-sponsored attack. The sources, whom Bloomberg did not name, said China is the early suspect, though they cautioned that could change before a final determination is made. The number of customers with information exposed by the breach could also end up lower, the sources said.

Another source told Bloomberg that the attack resembles other thefts of medical data by foreigners who appear to be seeking a pathway into the personal lives and computers of defense contractors, government workers and others in security-related jobs. Stolen information such as birth dates and email addresses could be used for phishing attacks, while medical data could be used for blackmail. Employees of defense contractors Boeing and Northrup Grumman had medical claims data in Anthem’s systems, Bloomberg reported.

“The healthcare environment is in an unfortunate position: It didn’t expect to be a high, heavy target five years ago, so they didn’t prepare,” Orion Hindawi, CTO for security firm Tanium Inc., told Bloomberg. “They didn’t expect to have advanced threats from nation-state actors targeting them.”

While Bloomberg’s sources said Anthem first detected the breach on Jan. 29, a report by CSO Magazine quoted an internal Anthem memo that said in part, “On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity — a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.” Two days later, on Jan. 29, Anthem concluded it was the victim of an attack and notified federal law enforcement.

In the memo, Anthem said the database queries had been running sporadically since Dec. 10, 2014, and the breached information included names, birth dates, member ID numbers, Social Security numbers, street addresses, phone numbers, email addresses and employment information including income data, but not payment or medical information. Anthem also said it had “changed passwords and secured the compromised data warehouse” and had hired security firm Mandiant to strengthen security on its systems.

If the memo is authentic, that means the breach was discovered the same day that Congress began holding hearings on legislation to set nationwide data security standards.