Day 2 of the Anthem hack, and we don’t know much more than we knew yesterday. There are intriguing grain-of-salt reports that Chinese hackers stole the data as part of a never-ending quest to build intelligence on U.S. government agents. There are plenty of reports — which must be true, because they haven’t been denied — that the stolen data wasn’t encrypted. It’s not easy, and often impractical, to encrypt production data that’s in regular use. One has to wonder why data from former Anthem customers wasn’t encrypted.
Click above, and you’ll see my appearance last night on the NBC Nightly News. You can also click here and see some different comments I made on the TODAY show. In short, the fraud that could come as a result of this hack — involved SSN, employment history, emails — is so broad that it’s very hard to offer what-you-should do advice.
Here’s the piece I wrote yesterday about Anthem, in case you missed it:
Another day, another massive computer hack that sets millions of people in a tizzy about something they can’t control. The Anthem health data leak isn’t the Big One — that’s still coming, believe me — but it’s pretty big. Perhaps 80 million people now have to worry that a criminal gang has their name, birthday, email, Social Security number, and perhaps even their employment history and salary.
It’s easy to imagine all the bad things that can happen to you if that data gets in the hands of a professional criminal. Sure, consumers will get *another* offer of free credit monitoring — handy, because the Target free monitoring just expired. But really, that’s a bit like telling a man to boil water when a pregnant woman’s water breaks. Busy work.
What’s broken here is the system. What’s missing here is bold action. While Washington D.C. bickers over a new privacy law that enacts technological-era change at a glacial pace, hackers are running circles around our nation’s companies. Nobody I know who works in cybersecurity thinks things are going to get better. Last year’s Sony hack set the stage for this, and other stories you see this year. Computer criminals are about to abandon credit card database hacks. With the move to chip-enabled credit cards, stolen account numbers will soon have less value. So that migration has already begun. As I often say, fraud is like a water balloon. Squeeze one end, and the other end just gets bigger.
But there’s more going on here than chip card change. Sony taught hackers a valuable lesson: even data that might not seem valuable can be priceless if leveraged in the right way. The old thinking: Who cares about stealing a million emails? Most of them are boring drek. Get the payment card data. The new thinking: Grab everything, and we’ll figure out how to monetize it later. It only takes a few embarrassing emails to convince a CEO to stop a product launch, or cough up a few million dollars. Turning millions of credit card numbers into cash is hard work, involving an army of mules and real-world risk. Turning private data into an extortion payout is much easier.
So we see with the Anthem hack that, according to the company, criminals didn’t even seem interested in the payment card data. They wanted everything else. And now, like a hunter who uses every part of a dead pray, they will pick over the data and try monetize it in dozens of ways. New account fraud. Phishing. Extorting consumers. Perhaps, they’ve already tried to extort the company. Since victims do not have the option of canceling their birthdays or employment background, they will have to worry about this for a very long time.
Why? Anthem was warned. The FBI issued a warning last year that health care firms use archaic systems which are easy hacker targets. Why would Anthem leave such data in an unencrypted state, lying around for the taking? More important, why would Anthem have data on potentially millions of former customers, also sitting there for the taking?
The reason: Anthem didn’t see value in the data the way consumers do, and the way the hackers do. Notice that no medical information was stolen. That’s because it’s part of Anthem’s core business. Consumer information is not. Maintaining that is merely a cost. You see this pattern again and again. Why was Target’s credit card database stolen? Because Target isn’t a bank, it’s a department store. Why was Sony’s email stolen? Because it wasn’t a movie in production, it was just email.
Change must come. Data is everyone’s core business now. Firms need to actually take the protection of our data seriously, not merely say they do in letters revealing they’ve been hacked. Meanwhile, it’s time to work with the reality that millions of Americans have now permanently been exposed to identity theft through heist of their Social Security numbers. The right way to deal with that is simple: We need to devalue the stolen information. One modest proposal you will hear is to simply make all Social Security numbers public, thereby ending once and for all their use as a unique and “secret” identifier.
That kind of fresh thinking is the only way through this problem. And that kind of bold step could only be taken with leadership from the federal government. We’re still waiting.
See you in another week or two when the next big hack hits.