Anthem data breach: health insurer failed to encrypt data that was stolen in industry’s biggest-ever hack
Leaving information unencrypted makes it much easier for cyber-attackers to read information
Your support helps us to tell the story
As your White House correspondent, I ask the tough questions and seek the answers that matter.
Your support enables me to be in the room, pressing for transparency and accountability. Without your contributions, we wouldn't have the resources to challenge those in power.
Your donation makes it possible for us to keep doing this important work, keeping you informed every step of the way to the November election
Andrew Feinberg
White House Correspondent
The information that was stolen from Anthem in the biggest health-insurance cyber-attack ever last month was left unencrypted on the company’s servers, according to reports.
The data stolen related to the records of millions of customers and employees, Anthem said this week. While the hackers don’t seem to have had access to health records, the information stolen included names, birthdays, social security numbers, addresses and employment information, all of which could be used for fraud.
Failing to encrypt the information means that hackers will be able to look through the information much more easily. But because encrypting and then removing encryption from files is a slow process, it would have made it harder for the company to share the information with the various groups that it works with.
Anthem encrypts the information when it’s moved into or out of its database, but not when it is there, it told the Wall Street Journal, who reported the lack of encryption. Instead it uses other methods, “including elevated user credentials, to limit access to the data when it is residing in a database”, a spokesperson told the WSJ.
In a letter announcing the hack, the company said that it is “working around the clock to do everything we can to further secure your data”, CEO Joseph R Swedish wrote.
While encrypting the data would probably not have stopped the hackers from gaining access to the information — which was done using stolen employee logins — it would have made using it much harder.
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments