Article: Will Anyone Learn From Hacks?

I’ve been thinking about Anthem’s data breach over the last couple of days, especially since I know quite a few people that are potentially affected. As someone who eats, sleeps, and breaths technology, I was frustrated and angry about the situation and how it’s yet another data breach. Each time some sort of security issue is announced, it seems progressively worse, and I’m wondering why companies don’t seem to be learning, and lawmakers would rather ignore the issue.

I’ll be the first to admit that I don’t know about Anthem’s systems, but it is frustrating to a lot of people involved about how companies seem to treat your data. For example, I was affected by JPMorgan Chase’s carelessness last summer, and they played it off like it was no big deal. Sure, nobody had access to my account, but I certainly saw an increase in spam and phishing emails to the address they had on file. Some say this could have been avoided by using two-factor authentication, but it was too late after the fact. There were attempts to hack other banks, but they had their houses in order and nothing happened. I’d expect the largest bank in the United States to have the best security, but apparently not. Needless to say, for this and a few other reasons, I am no longer a Chase customer.

Anthem has set up a web site on the matter, and shared what kind of data was stolen:

However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Calling it “very sophisticated” is most likely PR speak. I hate that—it’s the same kind of language that infomercials use to try to make a product sound more exciting than it is. Additionally, so many of these breaches try to spin that they did all they could to prevent it. With Anthem, any former members’ information should not be actively available or in use—move it to a different database. Next, the fact that the hackers got most data points for identity theft is concerning. All of the items except Social Security numbers are pretty standard for data breaches these days, but if you add that to the mix, it gives the highest bidder all the keys they need.

Trying to throw in that credit card information wasn’t stolen as some sort of, “Look, it’s not that bad,” is bogus. Although it is a hassle to replace a stolen credit card number, it happens frequently enough that the card issuer can generate a new number and the breach was little more than a bad memory. Social Security numbers are almost impossible to replace.

Looking at data breaches in general, the Sony hack was most likely retaliatory and had that scope of data stolen, but everyone that wasn’t directly involved with Sony seemed to have the attitude that it wouldn’t happen anywhere else. This time, it did, and while I don’t want to resort to victim-blaming, this isn’t the first time Anthem has run into a data breach. Some argue they could have done more from an encryption standpoint.

I think that these breaches need to be addressed in a few ways, especially since it seems that most companies do not give a shit about customer data.

First, as a country, we really need to move away from the 1930s technology of the Social Security number as your only identifier. While individuals keep it private, the fact that companies leak these nine digits and a few other key facts about you gives anyone the ability to commit identity theft. It was never intended to be your identification and verification for bank accounts, medical records, loans, utilities, and more.

Second, with each breach, this should serve as a warning to other companies to improve their security and revisit their policies for customer data. After Target was hacked, Home Depot’s hack should not have happened. Instead, management ignored warning signs for years. A number of companies have paid dearly for breaches in terms of public perception. You would think that would be enough to encourage improvement, but apparently the bottom line and relying on luck are good enough for some. Because of this, there should be bigger penalties to make not only a data breach hurt from a “we were attacked” standpoint, but also a “we didn’t do enough to protect things” standpont. Fines or lawsuits should help. Basically, it should be so much of a pain that companies will go out of their way to protect data.

Third, since no system is impenetrable, there should be some sort of leniency if companies come forward and share the news. I’ll give Anthem credit for announcing it within a week, while JPMorgan Chase waited. If a time window does become law, it could just mean stiffer penalties for companies that ignore it. Basically, any legal or regulatory penalties would be bad either way, but much, much worse if companies denied breaches.

Still, the issue boils down to the fact that companies are weighing the costs of reworking systems and processes versus the costs if there was a breach. We can’t necessarily make those decisions, but we can certainly sway them with bigger threats.

On the flip side, moving away from Social Security numbers for identification/verification should happen sooner than later. Originally, they were never designed for that, and the fact that they are an attractive target for thieves means we need to revisit that system. Although that probably wouldn’t change soon, I would like to at least see some sort of supplementary information that isn’t stored and can prove that I am me. Whether it be some sort of extra PIN, a biometric authentication, or even at least additional identifications, something needs to change. The credit card companies and Apple have figured out a similar idea with Apple Pay (disposable device number separate from your real number, fingerprint/PIN verification) and that leads me to believe something could be possible, just that nobody wants to take the first step.

Although I doubt this Anthem breach will be the last, I certainly hope it’s the first to start a conversation with reinventing the entire system. Regulations may require additional though and discussion, but we have plenty of technology, so let’s use it.