Anthem’s Breach and the Ubiquity of Compromised Credentials

By Sekhar Sarukkai, Co-Founder and VP of Engineering, Skyhigh Networks

The year is still young, and we’ve already witnessed a breach of potentially historic proportions. Anthem Inc, the nation’s second largest health insurer, released a statement last week announcing the breach of a database with 80 million customer records. Anthem estimated the number of stolen accounts at “tens of millions,” which would be the largest healthcare breach to date. For comparison, hacks at Target and Home Depot exposed 70 million and 56 million records, respectively. In this case, the records contain sensitive customer data including names, birthdays, addresses, and social security numbers. Fortunately the company reported no medical or financial information was stolen.

Let’s run through the mechanics of the attack based on available information. The source of the breach was a compromised login credential. The attackers initially ran a database query using a system administrator’s credentials. They then uploaded the hacked data to a cloud storage service. Anthem declined to name the service but did mention it is commonly used in US companies. This last fact may have made the exfiltration more difficult to detect. The average company uses 37 different file sharing services, which include a mix of enterprise ready services such as Box and high-risk services such as 4shared.

Anthem Only the Tip of the Iceberg

The circumstance through which hackers gained entrance into Anthem’s system is not rare; in fact it is the norm. User login credentials are sold on the Darknet by professional cybercriminals. Skyhigh’s analysis of cloud usage data of over 15 million enterprise employees across 350 enterprises indicates that 92% of companies have users with compromised credentials. On average, 12% of users are affected. In other words, over one in ten enterprise users have their credentials for sale on the Darknet. With 31% of passwords reused according to a study by Joseph Bonneau, stolen login credentials pose a huge liability for enterprise security.

Avoiding “The Big One”

To start, companies should enforce two-factor authentication to reduce the likelihood that a stolen credential alone is sufficient to gain access to a mission-critical system. Security should also put in place role-based access control for corporate systems so that no single credential has unfettered access to all data. With the prevalence of stolen credentials available to attackers, these are critical steps in preventing a breach of this scale.

There are two parts to this story, however. Security teams would be wise to guard the way out as well as the way in. In this case and in an increasingly high number of instances, attackers used a cloud service to exfiltrate data. The cloud is a easy path for removing data from the corporate environment because many organizations lack visibility into the flow of traffic to cloud services. This points to the need for security intelligence systems that provide visibility into cloud usage and identify anomalous behavior. With this technology in place, alerts for anomalous behavior can not only identify external threats, but they can also protect against insider threats.

As in the vast majority of cases, no single misstep or shortcoming led to this breach. There are clear steps companies can take to lower the likelihood of suffering from a similar attack and to minimize the damage in the event hackers do gain access to corporate systems. Anthem’s breach should serve as a wakeup call to all enterprises.