Anthem, Apple and the Pentagon: A Data-Breach Cornucopia

Like pumpkin spice and turning leaves, data breaches have become a theme for the fall. This season is shaping up to be no exception, with Anthem, Apple and, worryingly, the Pentagon all making headlines in the last few days.

“This activity won’t stop. In fact, left unchecked it will get worse,” said Pravin Kothari, CEO of cloud security vendor CipherCloud, via email. He added that major incidents should prompt others to use best practices, like the end-to-end encryption of data, both in the cloud and on-premise, the use of two-factor authentication, network segmentation and more.

Anthem

In the case of Anthem, the second-largest healthcare insurer in the U.S., it has agreed to pay a record $16 million fine to the government stemming from its massive 2015 breach, which was the largest healthcare data compromise in U.S. history.

A cyberattack that started with a spear-phishing email gave attackers access to sensitive data for weeks, including the Social Security numbers of tens of millions of Americans, along with names, birthdays, medical IDs, street addresses, email addresses and employment information, including income data (credit-card or medical information, such as claims, test results or diagnostic codes, were however left out of the mix). In all, nearly 79 million current and former customers were affected.

Like the breach at the Office of Personnel Management in 2015 that affected 21.5 million federal employees and contractors, security researchers suspect the attack was carried out by a nation-state-backed APT.

The insurance giant, which covers around 40 million people, is paying the fine in order to settle potential privacy violations with the Department of Health and Human Services; DHHS said that Anthem had failed to put in place appropriate cybersecurity policies and procedures, and that it lacked “adequate minimum access controls” to identify and shut down cyberattacks.

In addition to the fine, Anthem also agreed to government monitoring. It did not, however, admit liability in the case.

The sum is the largest fine ever collected by the DHHS in a healthcare data breach (nearly three times that of the next-largest assessment, according to the agency), but it pales in comparison with what Anthem has already forked out.

Last June, it agreed to pay out a record $115 million to customers affected by the incident, in response to more than 100 lawsuits against the company that were combined into one. It also had paid out more than $260 million for remediation and clean-up following the breach.

“Anthem takes the security of its data and the personal information of consumers very seriously,” the company said in a media statement on Monday. “We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”

Apple

Meanwhile, in Cupertino, Apple said that it was “deeply apologetic” over the hacking of Apple IDs belonging to Chinese customers – the compromise led to users being bilked out of various sums, as the cybercriminals used the Apple IDs to pay for goods and services.

Apple also said in a statement Tuesday (via the Wall Street Journal) that the attack came via phishing scams – no further details were given about how the hackers acquired the users’ Apple IDs and passwords. Apple didn’t immediately respond to a request for comment from Threatpost on the matter.

Apple said that it found “a small number of our users’ accounts” had been accessed. In a corresponding Chinese statement, it added: “We are deeply apologetic about the inconvenience caused to our customers by these phishing scams.”

The computing behemoth said that it would reimburse users for the fraudulent charges – but added that the payment fraud could have been prevented had users enacted two-factor authentication on their devices.

The hack was revealed last week when two of the top mobile-payment providers in China, Alipay and WeChat, reported that customers were discovering that they were on the hook for App Store purchases they didn’t actually make. Mobile-payments users often link their Apple accounts to the Alipay or WeChat platforms.

The Pentagon

Meanwhile, on Friday, the Department of Defense admitted to a compromise of personal information and credit-card data belonging to U.S. military and civilian personnel that affected at least 30,000, with possibility of uncovering yet more victims as the investigation develops.

That news came as the federal Government Accountability Office (GOA) also assessed there to be “mission-critical cyber-vulnerabilities” in the Pentagon’s advanced weaponry systems.

According to a U.S. official speaking to the AP, the incident was discovered Oct. 4, affecting the agency’s travel department — but, it may have been an ongoing situation for weeks before that. Pentagon spokesman Lt. Col. Joseph Buccino said that no classified information was compromised, and that the Pentagon was still investigating the hack and who might be behind it.

He did reveal that the breach was caused by a compromise at a third-party supplier (so far unnamed) – evidence yet once again that supply chains represent a ripe attack surface for criminals.

“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population,” he said. “The DoD “has taken steps to have the vendor cease performance under its contracts.”

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” the DoD added in a media statement, adding that it will provide fraud protection services for victims.

Michael Magrath, director of Global Regulations & Standards at OneSpan, told us that many of the affected individuals in the DoD breach have likely been victimized in other large and small-scale breaches over the past few years, including the aforementioned Office of Personnel Management breach in 2015.

“The treasure trove of personally identifiable data on the Dark Web just continues to grow, enabling fraudsters and steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information,” said Magrath. “For example, the personal and credit card information obtained in the DoD breach could be crossed referenced with data obtained from the OPM breach and other widely publicized private sector breaches.”

The news has emerged against the backdrop of the GAO report last Tuesday, which identified “mounting challenges in protecting its weapons systems from increasingly sophisticated cyber-threats.”

“In recent cybersecurity tests of major weapon systems DoD is developing, testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected,” the GOA said in its report. “DoD’s weapons are more computerized and networked than ever before, so it’s no surprise that there are more opportunities for attacks. Yet until relatively recently, DoD did not make weapon cybersecurity a priority. Over the past few years, DoD has taken steps towards improvement, like updating policies and increasing testing.”

While the department has rolled out a series of bug-bounty programs over the last few quarters, these aren’t aimed at weaponry, but rather the DoD’s unclassified networks.

Third-party concerns also persist; in June, reports surfaced that nation-state attackers affiliated with the Chinese government made off with a trove of undersea military secrets, including “secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020.” Hackers were reportedly able to mount a lateral attack after compromising the networks of a Navy contractor working for the Naval Undersea Warfare Center in Rhode Island.”