The Anthem Hack: Sophisticated? Maybe, Maybe Not.

by Jim Noble, Director TAC International

The news on Wednesday that Anthem’s systems had been compromised ranks among the largest ever such breach. Simply on the basis of the number of people affected, it is double the size of the Target incident. But therein lies the complexity of this subject. Many companies suffer a breach, but it is not “material” in a business risk context, and so it attracts little publicity. The formula says Materiality = Threat x Vulnerability x Consequence.

While the Threat is widely acknowledged, there seems to be widespread denial of the Vulnerability. As in the case of Sony, it is tempting to pardon this sort of lapse as “inevitable and inescapable” because of the sharply focused and sophisticated nature of the attack. But that is a pathetic excuse, and deserves a robust challenge in a lawsuit on the basis of neglect of their fiduciary Duty of Care on behalf of their shareholders. Instead of taking the issue seriously and dealing with basic deficiencies, companies are throwing technology (hardware and software products) at the problem and installing more and more sophisticated equipment, which is often poorly configured and managed. If you look at the root causes of healthcare breaches on HHS.gov you will be amazed at how trivial most are. But companies always say they were the subject of a sophisticated attack. I guess this protects against negligence law suits. Healthcare breaches have continued to increase after HIPAA was implemented.That complacency also extends to Consequences. For companies handling credit card data such as Target, Home Depot & TJ Maxx, the consequences were fraudulent transactions on their customers’ accounts, which can be addressed by the card issuers, or credit watch companies like Equifax. For companies with sensitive intellectual property like Sony Pictures Entertainment, knowing what has been stolen helps them to take steps to mitigate the consequences. In the case of Anthem, the consequences could be much more serious, because the personal data could result in identity theft, which is a more complex situation to recover from.

So how is it that avoidable incidents keep happening? How could Home Depot and Neiman Marcus fall into the same trap that Target did months earlier? Could it be that this is not considered material enough to spend money on both the technology (to prevent & detect data losses) and the human behavioral changes needed to minimize incidents? Maybe it is just the cost of doing business, and we should just buy insurance to cover for the results of incompetence.