Expert: 'Disastrous' data breach was avoidable

Human error, not technology, is to blame for a potentially "disastrous" data breach that compromised the Social Security

numbers of up to 80 million health insurance customers, a cybersecurity expert said Thursday.

Blue Cross Blue Shield insurer Anthem sent notices to its customers Thursday, notifying them a "very sophisticated external cyber attack" had given hackers access to current and former customers' personal information, including names, addresses, birthdays and Social Security numbers.

The Associated Press reported the breach could affect up to 80 million people.

"Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data," Anthem president and CEO Joseph R. Swedish wrote in a message to customers.

Vijay Anand, an assistant professor who teaches cybersecurity at Southeast Missouri State University, said it wasn't security technology that failed, but people.

"It's people. It's us people. We make mistakes," he said. "The technology is good -- whatever technology we have is all pretty high-end. ... Attackers cannot really break that technology that is there."

Proper encryption of customers' personal data could have thwarted the attack, Anand said.

"Encryption technologies have been there from Julius Caesar's time, so it's not really that complex," he said. "... It looks like it is total sloppiness on their side, because how can you keep something unencrypted in today's date?"

Reached by email Thursday, an Anthem representative did not answer questions about whether the company had attempted to encrypt customers' personal data, responding instead with a statement that appeared to be a paraphrased version of Swedish's statement and referring reporters to the AnthemFacts.com website, which the company set up in response to the breach.

The site contains no information about Anthem's encryption practices or lack thereof.

In his message to customers, Swedish said credit-card numbers and medical information did not appear to have been compromised by the breach, which affected Anthem's employees, including himself.

He said the company is working with the FBI and has retained cybersecurity company Mandiant to evaluate its systems and recommend security improvements.

Once Anthem determines whose information has been accessed, it will contact those customers and provide them with free credit monitoring and identity protection services, Swedish wrote.

The Anthem cyberattack is more problematic than others in recent years because of the type of data involved, Anand said.

"If something happens with your Social Security number, then that is a big issue. ... It actually is a much more disastrous thing than a credit card getting stolen," he said.

When credit-card information is stolen, victims can protect themselves by canceling the card and disputing any charges thieves might have racked up, Anand said.

But cyberthieves who gain access to names, addresses and Social Security numbers can steal their identities, establishing lines of credit and running up bills without their knowledge.

Anand and Cpl. Darin Hickey of the Cape Girardeau Police Department advised potential victims of any data breach to monitor their financial accounts and credit histories.

"Anytime that someone may feel that their identity has been compromised ... the No. 1 tip that we give people is keeping an eye on your accounts, checking your credit history, and if there is any suspicious activity ... then contact your local law enforcement agency," he said.

A crumbling credit rating may not be the worst of the potential problems, according to the Social Security Administration's website, socialsecurity.gov.

Identity thieves also can use Social Security numbers to steal victims' income-tax refunds or obtain work under their numbers, misleading the Internal Revenue Service into believing the victims have underreported their incomes, the website stated.

Unlike credit-card numbers, Social Security numbers are difficult to change, and a new number does not guarantee a fresh start or an end to a person's credit problems, as he or she will have no credit history under that number, the website stated.

"When people start really getting affected, the scale will become a nightmare," Anand said.

The hackers' intentions and the full effect of the breach may not be known for months or even years, he said.

"We don't know who has attacked, also, at this point. This can be many people. It can be individuals, corporations, criminal corporations or governments -- we don't know who it is," Anand said. "... It will take some time before we find out and identify the repercussions of it."

Who will feel those repercussions is not yet known, but Cape Girardeau city employees could be among the victims.

Nicolette Brennan, public information manager for the city, confirmed Anthem provides employees' health insurance.

"We did just send out a citywide email making everybody aware of the situation," she said Thursday afternoon.

Anthem also is the Southeast Missourian's health-insurance provider.

While people can take steps to make themselves harder targets for identity thieves -- for instance, shredding documents containing sensitive information and avoiding business transactions with people or companies they do not know well -- they simply cannot protect themselves from every crime, Hickey said.

"You can have the best alarm system, the biggest dog and the biggest gun in your house, but it's not going to keep the burglar out if he really wants to get in there," he said.

epriddy@semissourian.com

388-3642

---

What should I do?

If you believe your personal information has been compromised, experts recommend the following precautions:

• Visit creditkarma.com or annualcreditreport.com to obtain a free credit history report.
• Contact authorities immediately if anything on the report seems amiss.
• Visit idtheft.gov or call 877-IDTHEFT to report identity theft to the Federal Trade Commission.
• Review your earnings on your Social Security statement to be sure someone isn*'t working under your Social Security number.
• If you believe someone may be using your number to work or steal your tax refund, visit irs.gov/individuals/identity-protection or call 800-908-4490 to alert the IRS.
• Visit ic3.gov to file a complaint with the Internet Crime Complaint Center.
• Current and former Anthem customers can visit AnthemFacts.com or call 877-263-7995 for more information.