Anthem hack: Personal data stolen sells for 10X price of stolen credit card numbers

Crooks will use the information to steal identities, not just run up credit card bills.

The hackers who stole personal data from health insurer Anthem stand to make a whole lot more than the ones who stole 56 million credit and debit card numbers from Home Depot because the potential payback per identity is so much greater.

"Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x in price on the black market," says Martin Walter, senior director at RedSeal.

+ Also on Network World: Insurance giant Anthem discloses huge customer and employee data breach |Breaches are a personal nightmare for corporate security pros +

That could be a conservative estimate, according to a report by PwC called "Managing cyber risk in an interconnected world: Key findings from The Global State of Information Security® Survey 2015."

"A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each," the report says.

The price differential is due to the ability to use identity information birth dates, Social Security numbers, addresses, employment information, income, etc. to open new credit accounts on an ongoing basis rather than exploiting just one account until it's canceled.

But that's not all. "The information attackers were able to access from Anthem are key pieces of data that can be used to access someone's financial records," says Eric Chiu, president & co-founder of Hytrust, making it possible to find and drain individuals' personal cash reserves.

It's not known exactly how many Anthem customers' data was stolen, but the company has 37.5 million subscribers plus another 68 million served by its affiliates.

Water says this type of massive theft from a health provider should have been expected. "It was only a matter of time until hackers found out that it's much easier to go after Social Security numbers and personally identifiable information with healthcare providers, which in comparison spend significantly less on security, making them tentatively easier targets."

While health organizations do spend less on security in general than some other markets such as finance, they are making strides, according to PwC; their security spending in 2014 was up 66% last year over 2013.

Last year, healthcare providers and payers reported a 60% increase in detected incidents resulting in financial losses jumping 282% over 2013. The possible explanation: attackers are targeting healthcare entities for their patient health data.

While health industry providers are boosting security spending, they may not be doing so in order to protect existing customer data, PwC says. Rather it may be to secure the blossoming number of new health-monitoring devices that help comprise the Internet of Things. "Consider that almost half (47%) of healthcare provider and payer respondents say they have integrated consumer technologies such as wearable health-monitoring devices or operational technologies like automated pharmacy-dispensing systems with their IT ecosystem," according to the PwC report.

The attack was detected last week when a systems administrator saw a database query he hadn't initiated was being run using his ID, according to a report in the Wall Street Journal. The stolen data was found stored in a Web-storage cloud service and secured. But it was uncertain whether the thieves had already backed it up from there to another location, the report says.

"Statements indicating that the company immediately made every effort to close the security vulnerability suggest that a known vulnerability was exploited in the corporate web environment or that a payload was delivered via spear phishing to employees but was easily corrected once identified as the point of entry," says Adam Meyer, chief security strategist at SurfWatch Labs.

The breach was reported to HITRUST Cyber Threat Intelligence and Incident Coordination Center, a health industry alliance to better prepare healthcare organizations for dealing with security. "Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation," HITRUST says.

Anthem has also hired Mandiant to evaluate its systems, according to Anthem CEO Joseph R. Swedish in an online letter to the company's customers.

The incident should serve as a wake-up call. "If the healthcare sector doesn't get the message that they are storing treasure troves of information and are not doing enough to protect it, I can only hope consumers and companies who provide healthcare plans speak with their wallets and work with healthcare providers that go above and beyond to protect the most personal of an individual's information," says Sean Mason, vice president of Incident Response at Resolution1 Security.

"This attack is 1.0 for major league healthcare," says from Tim Eades, CEO of vArmour.

Join the CSO newsletter!

Error: Please check your email address.

Tags AnthemsecurityHome DepotPwC

More about FBIHome DepotThreat IntelligenceWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts