Anthem-insurance

John Kindervag, an analyst with Forrester Research, quoted in the New York Times, made a key observation about the recent data loss at Anthem:

“All cybercrime is an inside job,” he said, because the criminals are able to penetrate a database from the outside and act as an insider in gaining access to data, which is what occurred in the Anthem breach.

The inside nature of the Anthem breach is detailed on Krebs on Security. Brian Krebs cites an internal Anthem memo:

 On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.

Commenting on the method that this breach was discovered, Dan Berger, chief executive of Carpinteria-based Redspin, which specializes in healthcare data security, told the Los Angeles Times:

It’s rare and it’s lucky. Who knows how long it would have gone undetected?

Anthem didn’t discover malware, they discovered malicious use of credentials. Abuse which, according to the same memo, started on December 10, 2014. FireEye’s Mandiant unit reports that credential abuse is observed in 100% of targeted attacks.

In the LA Times article, Berger speculates that the attackers gained system access using spearphishing to steal credentials.