Was the attack actually sophisticated? Usually, when megacorporations get pwned, the attack is not sophisticated at all, but they pretend it is (for PR reasons). This page doesn't tell us much about the nature of the attack, which is understandable. And as for what was compromised... almost everything of value?
Given that this is an insurance company, I imagine the attackers were either criminals (who wanted to steal this information for identity theft), or state-sponsored attackers (who would want this information for HUMINT reasons, such as verifying identities or determining good targets).
We won't get any technical details. The fact that this was pulled off and the initial compromise was a year ago means they've got no alarm bells for someone dumping the DB.
It's negligence at it's finest. Here's to hoping for class-action. 2 years free "identity theft protection" (which is useless to consumers until post-theft) and credit-report monitoring (which is free to them, and again only comes up post-theft) is pretty bullsh*t.
> And as for what was compromised... almost everything of value?
If the attacker has been in your "IT systems" for 9 months, you'd have to assume _everything_ has been compromised. All the data those systems stored, all passwords that've been used to log into those machines, everything.
So what happens when more than 50% of the US population has their semi-private data spilled out into the open?
We're get closer to a day when there will be collated a single text file with name, dob, address, SSN, ID#, and maybe ccn for hundreds of millions of people. It will just float around the net ready for use/abuse.
What happens? A quick move to biometrics? Ignore it and hope it goes stale?
Right now Chase keeps dubious stuff from happening by requiring text confirmation for all my "out of pattern" purchases but that's kind of clunky.
I would guess that the PII of close to 100% of anyone who has ever done business with any financial services or insurance company has been compromised. We have to get to a point where this information is just assumed to be public and not valid for identity purposes.
Two-factor would also help. Even if it's manual, expensive "CC vendor calls each cardholder who makes a large credit card transaction before clearing it" style efforts, which bankers at least understand.
"Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information."
Then, of course,
"The security of our members’ personal information is a top priority."
One wonders if the attackers could generate a massive number of medicare invoices that paid out to a bogus company which transferred all of the deposits off shore.
So they waited 7 weeks before informing their customers? That's unacceptable. I wonder how many other blue cross companies were affected and we simply haven't been told yet.
I called to ask about it, and was told that they were following the recommendations of Mandiant and the FBI; that they may put consumers at more risk if they announced prior to remediating their systems.
It's an interesting point of distinction, as Washington state law requires disclosure "in the most expedient time possible ... The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation."
Let's assume he's an actor and DNS is poisoned. Clearly this is intended to reach a wide audience. Presumably, the real CEO would learn of the fraud shortly. Let's say that takes a few hours. The corrected DNS will take 4 hours to propagate. So, how many people will sign up for fraud protection in between?
If I was designing an attack, a high visibility, low persistence attack where I send my victims to a website not under my control (unless you're asserting the attackers also got control of protectmyid.com) would not be my first choice, especially if I'm spending the money it took to shoot that video and stream it to all the people who you ostensibly want to see it.
> The corrected DNS will take 4 hours to propagate.
This misconception bothers me a lot. DNS changes are complicated: there's no "n" where "n = the amount of time where any domain will magically be fixed".
"Propagation" is based on the configured TTL values of the specific DNS records requested, for the specific zone. Add in layers of application/OS/intranet/ISP/DNS provider caching, and it's a complicated nightmare to fix/predict reactively.
Most BIND9 installations use 86400 seconds by default: 24 hours. And some domains use more, some less, some have dynamically generated TTLs to simulate changing of records at a set/recurring wall clock time, instead of a time to live, some DNS caches are reset frequently, some caches retain values much longer than allowable by TTL...
Given that this is an insurance company, I imagine the attackers were either criminals (who wanted to steal this information for identity theft), or state-sponsored attackers (who would want this information for HUMINT reasons, such as verifying identities or determining good targets).