Weak login security at heart of Anthem breach

Weak security is being blamed for the mammoth hack of one of the nation's largest health insurance providers, which has put the private data of 80 million people at risk.

Investigators are focused on weak security for login credentials, as the hackers are believed to have accessed Anthem Inc.'s information by stealing the company system administrator’s access information.

“Anthem’s primary security sin may not have been the lack of encryption, but instead improper access controls,” security researcher Ken Westin wrote in a blog post.  

ADVERTISEMENT
Hackers were able to get the credentials of five different Anthem tech workers, the country’s second-largest health insurer, The Associated Press reported Saturday.

Starting some time after Dec. 10, the digital thieves used this information to access Anthem’s system and eventually make off with the information of 80 million customers.

It’s widely believed the attackers used targeted “phishing” campaigns, in which they sent Anthem’s network administrators fake emails trying to dupe them into either revealing login info or clicking a link that gives hackers access to their computer.

“What may be a key weakness here is that it appears there were no additional authentication mechanisms in place, only a login/password or key, with administrative-level access to the entire data warehouse,” Westin said.

Anthem has been dinged for not encrypting its customer data. But the bigger problem is access security, Westin believes.

“In Anthem’s defense, if the attackers had admin-level credentials, encryption would have been moot anyway,” Westin said.

Neither do federal data privacy laws require health insurers to encrypt customer data.

Gaining access using pilfered login credentials has become an increasingly common and effective strategy for cyberattackers.

It’s suspected that hackers supporting the Islamic State in Iraq and Syria (ISIS) recently gained access to the U.S. Central Command’s Twitter and YouTube accounts by lifting the password from an employee’s computer.

Security researchers have long warned of the fallibility of passwords. Employees often choose trivial passwords such as “123456” or leave the default password in place.

The White House is funding several public-private initiatives to develop password alternatives, such as using a mobile device for identification or identifying through a wearable ring or bracelet.

Michael Daniel, White House cybersecurity coordinator, said in October that these offerings are set to hit the market some time in 2015.

“We simply have to kill off the password,” he said. “It's a terrible form of security.”