Why you should care about the Anthem breach

When Anthem disclosed that it had experienced a massive security breach last week, I heard more than a few rather blasé "oh, another security breach?" comments from friends, family and colleagues. Admittedly, the constant barrage of very notable hacks (e.g. Target, HomeDepot, eBay, JPMC, Sony, etc., etc., etc.) over the last year has been daunting, but I was shocked at how much this has numbed us. This numbness is dangerous, too, since we've started tuning out situations that are bound to impact us.

Fortunately, most of the breaches in recent history involve loss of credit cards. While it is inconvenient, consumers are protected from unauthorized charges on their credit cards, so the impact of these events on consumers is heavily mitigated. They still suck for the merchant that was breached, but at least consumers are already protected.

The Anthem situation, however, is different. As the 2nd largest insurance provider in the US, its breach exposed names, dates of birth, social security numbers, physical addresses, email addresses, and employment information (including some salary info) for upwards of 80 million of its current and former customers. This means that if you had insurance coverage from Anthem (which ~25% of Americans do) then your most sensitive data is now in the hands of hackers.

What Anthem is doing about it

The only info Anthem seems to have shared is the statement on their site, which indicates they've engaged the FBI on this, they're working around the clock to fix this, and they'll be sending letters (yes, ink on paper) to the 80 million to let them know about the credit monitoring and ID theft protection that will be offered. Phone calls to Anthem for more info have yielded scripts being read about how important our data is, how committed Anthem is to fixing this, and how we should wait by the mailbox for a letter with more details.

It's understandable that they're reticent to share information over the phone, given authenticating customers under normal circumstances, but it becomes really challenging when all the data you would use to authenticate them has been stolen, which means you could be talking to anyone. To their credit, Anthem will be incurring significant costs to have mail exchanges with 80 million people, not to mention the costs of credit monitoring and whatever ID theft solution they decide to offer. Add that to the costs of finding + fixing the holes, dealing with class action suits, regulatory inquiries, continued oversight, etc., and this is a downright nightmare. Having lived through breaches a couple times in my past, I sympathize with the stress this puts on a company, their employees, and their customers.

Let's put this in perspective, though. This isn't Anthem's first time to the rodeo. Back in 2010, Anthem - then WellPoint - was hacked, resulting in >600k similar records being taken by hackers. That was an early and low-cost lesson on how painful it is to lose customer data, yet this still happened. While Brian Krebs suggests that this may be state-sponsored (China), the evidence is hardly conclusive, and even if it was state-sponsored, it's inconceivable that 80 million pieces of uber-sensitive PII were left unencrypted for the taking.

Adding insult to injury, while 80 million people wait for Anthems snail mail, phishers have already engaged via email to take advantage of the situation, making things much, much worse for the soon-to-be victims of ID theft.

This should concern you. BIG TIME.

Let's think about this for a minute. If you're one of the unlucky 80 million, your most personal identity data has been stolen, and if you caught the news or were notified by someone that did (because Anthem isn't using modern technology to alert you), then you need to wait by the mailbox for instructions. Oh, and by the way, while you're waiting, expect to receive fake notifications from Anthem, your current and past employers, the government, and anyone else that is plausibly involved here, all trying to convince you share the same data with them, so they can "authenticate" you and offer "protection."

If you're not scratching your head, wondering why-the-heck this is all happening in slow motion, you should be! What did it take for you to open your last credit card? How about apply for a loan? Get a job? See a doctor? Get test results from your doctor? Get your transcripts from school? Rent an apartment? You guessed it - your name, DoB, SSN, previous addresses, and employment data. Those little pieces of information unlock access to all of your life's accomplishments.

It doesn't end with true name ID theft, though, because that would be too easy! If these shady characters decide to commit synthetic ID fraud, they could use a fake name and piggyback off your good credit (or that of your parents/children) and accomplishments for years and go undetected, so long as they don't make waves (e.g. stop making payments on a car purchased under your SSN). This is pretty common, especially with illegal immigrants, since many services that use your SSN only ping your credit file when "you" stop paying "your" bills.

But wait, there's more! Should these folks feel malicious, they can use those same pieces of information to destroy your life. How? What did your mobile phone company use to authenticate you last time you called them? Your utility companies? How about your financial institutions (ie. where you deposit your money, but also who you have credit cards with, a mortgage, loans, investments, etc.)? Yes, full and unfettered access to all your data will shortly be for sale - actually, it's probably already been sold - to those that have no concerns with hosing up your life. Don't worry though, a letter is on the way with further details on how Anthem will protect you.

While you're waiting by the mailbox, it's worth considering how this will have a halo effect for the years to come. SPAM and phishing will now be significantly harder for consumers to recognize, since it will have legitimate data in the emails, so even with ID theft protections in place, consumers are still exposed. Your core PII details like SSN, physical/email address, phone, etc., are also not likely to change, which means the impact of this event will stretch far into the future. Anyone else hope Anthem's ID theft coverage is for life?

What this means to you

At the risk of being a wet blanket, I'm going to say you were already at risk for ID theft before Anthem... this breach just accelerated the inevitable. The Bureau of Justice Statistics published a report indicating ID theft is already impacting 16.6 million Americans each year - almost 2.5x the number of violent crimes that happen every year. Let's not even talk costs - $24billion/yr for ID theft is insane.

Consumers, of course, are the ones paying the biggest price for ID theft, with an avg of 30 hours spent to stop the abuse, implement protections, and remove the fraudulent credit/identity entries. This doesn't include the emotional stress that accompanies such an event, or the challenges involved in correcting ID theft for children, who typically don't use their credit, which means abuse often goes undiscovered for years. Now that 25% of Americans PII is in the possession of the faceless hacker horde, you need to do something.

First, it's essential that you add 2-factor authentication to your critical accounts, especially email and financial. Yes, it's kind of a pain in the ass, but it's free, and to not do this is insane, given what can happen (see my previous post on Monitoring Your Cyber Health). Here's a list of platforms that support 2-factor authentication, so you can't blame not knowing :)

Next, you'll want to set up an account on PwnedList to see if your email addresses/passwords have been found on the hacker underground. Pwned will also send you alerts if they ever DO find your credentials floating around. This incredible service is completely free.

Once you do that, it makes sense to clean up any PII that's already in "public records databases" about you, and understand what you're sharing through your social media accounts. SafeShepherd is a platform that can help you tackle both. They have a free trial, and a monthly/annual subscription you can pay thereafter.

Beyond that, you'll want to consider a comprehensive ID theft protection service, which should not only monitor credit inquiries, but also public records related to your identity, social security changes, social network activity, bank activity, etc.. NextAdvisor seems to have a good list of various vendors, pricing and coverage. Some employers are starting to offer ID theft services to employees as part of their benefits package, so you may see an offering from InfoArmor or company of that nature, and since it's at a discount over going direct (or free), I highly advise you take advantage of offerings like this.

Once you have these controls in place, you'll be in a lot better position. There is still risk, but with the right amount of friction, hackers will move on to the next, easier, target.

Would love to hear any thoughts or ideas about how we should be thinking of identity, as well as potential implications of moving to a different model.