In this series of blogs we will examine all topics under the information security umbrella. From corporate blunders to rogue state attacks to the occasional celebrity hack, we believe there is something for businesses and individuals to learn from any cyber security event. We also believe that, while experience is the best teacher, sometimes it’s best to let other people make the mistakes for you.
Rehashing Hash
If you haven’t heard by now, Anthem Inc. was hacked last week and suffered a massive data breach. Very massive. In this latest high-profile security failure, 80 million people from the Anthem network had their social security numbers, dates of birth, and all other personal information needed to receive medical care compromised. It gets a little bit worse though.
Medical companies, it seems, aren’t required to encrypt their patients’ information. It does seem odd that with HIPA laws being so stringent as to protect the confidentiality of patients’ that this would be the case, but this series isn’t here to discuss policy, only protection. This means that all of the user information accessed was sitting in plain text documents, only a double click away from being copied, pasted, and sold to who knows where.
Because, unlike the victims of previous headline-grabbing security failures, Anthem isn’t a chronic offender, I’m going to spend less time talking about how they could have avoided this and more on what the affected consumers can do about it. One key factor to note is that this affects both current and former Anthem members, and as a former member of their network, I have a very personal interest in damage control, here.
What Anthem Members Should Do
I’m not in the business of telling people what to do, but these are all of the steps that I have either considered or taken myself in ensuring a safe exit from this situation. At the very least, make sure you are monitoring you accounts and carefully reading your statements each month.
- Credit Hold- You can essentially freeze your credit at will whenever you want. This isn’t a viable solution for everyone who may be currently shopping for a car, home, or even applying for a job. I did, in fact, do this because it is the ultimate way to shut down any malicious attempts on identity theft. No matter what a criminal would want to do, even with every scrap of information on an individual, nothing can be completed if an institution sees there’s a freeze on a person’s credit. There are conflicting suggestions as to how long is prudent to keep a self-imposed freeze on, but suffice it to say, when there are 80 million options to use, thieves won’t spend a great deal of time on the ones that don’t immediately work.
- Fraud Alerts & Credit Checks- These go hand-in-hand in my mind because sometimes something that looks legitimate on a credit report might not trigger a fraud alert. Both of these services are also typically available for little or no cost as part of an account at most financial institutions. Fraud alerts are great, but make sure if you plan to take a trip that you notify your financial partners or else your popsicle purchase in Bora Bora might result in your card shutting down. Also, if you don’t get credit reports included in your card or account membership, you can get a free credit check whenever you want, though I don’t recommend you do it more than every couple of months. Everything that goes into calculating a personal credit score is still as highly guarded as is the secret recipe for Coca Cola, but it is known that how frequently a credit check is run does affect it, with too frequently checking it being an adverse affect on credit.
- Two Factor Authentication- Two factor authentication is an added layer of security used from any portal you access your information through. This means that in addition to logging-on to whatever site you need to use, there will then be a prompt to enter a separate, unique code that will be sent to you via another device, typically a cell phone or email. This means that someone would need to have your personal information plus your actual phone in order to access your accounts. Not all financial institutions offer two factor authentication but for those shopping for a new bank or credit provider, it could be a feature to include onto your wish list.
- This One Should be Obvious- But lamentably, it isn’t. Don’t give your info to people who ask for it! There have already been a slew of phishing scams that cropped-up almost immediately following the news of the hack where scammers posed as Anthem asking for personal information from their network. What makes my head spin about this one is that the very first communication that went out to all Anthem members was that they were not, I repeat, NOT going to be sending any requests for information, confirmation, or anything. Whether it is for this or any Nigerian Prince or sweepstakes winnings that you just so happen to have forgotten about entering, don’t give away your information so easily.
There are other courses of action, too, should the problem escalate beyond normal measures. However, applying for a new social security number is reserved for people who have already been a victim of identity theft, can prove damages, and need to start fresh. Plus as a hedge against folks who may change their information in an attempt to dodge creditors, linking old and new social security numbers isn’t terribly difficult for credit companies to do, so often credit histories can follow new numbers either way.
If you’ve missed it in the past, there were a few good suggestions about proper password security in our previous blogs, and you can check them out here. Otherwise, just make sure to avoid complacency with your security. That’s typically a great start to any comprehensive cyber security initiative.
Good luck out there and protect ya neck.