The U.S.’s second largest health insurance company, Anthem Inc, has agreed to pay out a record-breaking settlement over a huge data breach from two years ago.
Around 79 million people had their personal information compromised during the hack, and it’s safe to say Anthem are paying for their mistakes given the settlement. Data breach victims include current and former clients, and it’s thought that lawyers will need to sift through a lot of information to pinpoint exactly who was affected, how much data was compromised, and the impact the breach had on them.
Security monitoring
The majority of the money will reportedly be used to pay for security monitoring so victims are not left to completely fend for themselves. Monitoring can help victims identify unusual behaviour that could detect malicious and/or unauthorised activity on the victims’ accounts. According to Reuters, victims who are “already enrolled in credit monitoring may choose to receive cash instead, which may be up to $50 per person”.
A wealth of information stolen
Back in February 2015, hackers managed to get into Anthem’s database, accessing personal and sensitive information including:
- Full names
- Birthdays
- Social security numbers
- Member ID numbers
- Telephone numbers
- Addresses
- Email addresses
- Employment information
- Income information
Whilst the hacker(s) did not obtain credit card information or medical records, the hacked information they did get could still be used or sold on the dark web.
One popular trend in the past couple of years is to sell personal information to people who use it for phishing scams or identity theft activities.
Criminals can contact data owners by email or phone, quoting information the owner would not readily publicise as a way to verify their identity. Once the criminals gain their trust by impersonating a company they do use, some victims may let their guard down and may pass on further information that can lead to fraud.
Warnings about the impact of the breach
Paul Stephens the director of policy and advocacy at American security firm Privacy Rights Clearinghouse (PRC) warned of the impact the breach may have and said:
“You essentially have the keys to the kingdom to commit any type of identity theft. The information can be used… to penetrate existing accounts at financial institutions or a stoke brokerage.”
Largest data breach settlement in the U.S.
The $115 million settlement is that largest sum paid for a data breach in the U.S. One of the main aggravating factors could be that the information was reportedly not encrypted. This invited a lot of understandable criticism from security experts, as encryption is a basic yet effective method as a ‘first level’ of security protection. Like locking your front door, encryption can at least allow for a functioning barrier for criminals to have to overcome, and can act as a deterrent.
Leaving such a vast wealth of information unencrypted just seems so reckless.
The hacker reportedly stole employee credentials to gain access into the client database. There are calls for a review and an overhaul in how information is processed and stored along with which security firewalls are put in place so that, not only is the data safe from a “purely” outside attack, but also the amount and level of information an employee can access can be duly restricted.