On Wednesday Anthem, formally Wellpoint, announced that they were the victims of a “very sophisticated external attack” affecting “all product lines”. The numbers aren’t clear yet but some estimates I have seen, on the Twitter buzz this has caused state the estimates could be as high as 80 million. Even half that is a huge breach. According to http://www.anthemfacts.com/ information stolen included Medical IDs, SSNs, Birthdays, Addresses, email addresses, and even income data (yes internal Anthem employees, to include the CEO are effected).
While I commend them on setting up the notification site, bringing in experts (FBI and Mandiant), paying for credit watch and setting up a dial-in help desk to answer any questions; I think these are the bare minimum they should do. I also think they downplay the breach slightly by highlighting that medical data and credit card data wasn’t “targeted or compromised” – well it seems like they got everything but.
As with any compromise of this nature there are steps users can follow to help minimize the impact:
- Be vigilant about your credit – As common practice victims of computer crimes often pay for credit watching services. This is a good practice to do regardless – watch your credit. Know what is opened , what your score is, and be able to detect any changes.
- While no indications are available that states passwords were compromised, it is recommended that Any Anthem passwords. If you aren’t using unique passwords for each site you visit, as best practice dictates – make sure to update them as well.
- Be weary of phishing schemes – the attackers now have your email address and they could easily use it to launch a phishing campaign. Remember, if you weren’t expecting it don’t click it and if its too good to be true it is. If the site allows for it (not all will) I like using the + option in my emails so it easier to auto-delete them if I want. For example if my gmail address is first.laast@gmail,com I would use the following first.last+site@gmail.com. Being part of the email standard this trick will work if they don’ sanitize + on input. Then in the case I suspected the email got hacked I would send email to that address to the bit bucket. Granted this isn’t foolproof it is an easy way to thwart simple attacks.