The 2015 Anthem data breach affected 79 million people and was the largest health-care data breach in U.S. history. The affected consumers sued Anthem in a case that settled for a record $115 million. Now the U.S. Dept. of Health and Human Services’ Office of Civil Rights has reached a settlement with Anthem for a record $16 million — an amount that is almost three times the next-largest OCR data breach settlement of $5.55 million.
While these numbers are interesting, what is the takeaway for business leaders?
It all started with an employee opening and responding to a phishing email:
Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. (HHS Press Release)
President Trump and Kanye West put a big ‘ole Texas-sized exclamation point on the [need for?] #CyberAware campaign with Kanye’s password demonstration while on national tv in the Oval Office.
Politicos will spin this a million ways. Security folks will go back and forth between laughing and crying — and maybe do both at the same time. But, the important thing is that we learn from this and use it as an example to help educate others. I thought there was no better way to do that than by putting “Trump”, “Kanye West”, “Password”, “Cybersecurity”, and “#CyberAware” in the title — how’s that for getting a wide range of attention? 🙂
All joking aside, what are the most important lessons you take away from this example and can you use this lightning rod example to help educate your team, family, and friends about good cyber hygiene?
Dear friends who keep talking about “hacked Facebook accounts”:
When there is an account that is pretending to be your account on Facebook (or other social media platforms) that is sending friend requests to others, in most cases, this does not mean that your account has been “hacked” (i.e., inappropriately accessed by someone other than you).
In most cases, nothing has happened to your account. Rather, someone is attempting to “clone” your account by making a new account that appears to be you by using your information and pictures. When this happens, your account has not been “hacked”!
If this happens to you, go to the profile pretending to be you and report it to Facebook. The pictures below show you how to do it.
Given all of the hysteria about this right now, just do not accept new request from people on Facebook immediately and let them sit for a while — give it a few days before accepting them because if the account is reported to Facebook and then taken down, the illegitimate friend request will disappear.
If you’re interested to learn more about the real “Facebook Hack”, you can listen to these radio segments where I discussed it:
Cybersecurity is a team sport and many people within a business must work together to help effectively manage their businesses’ cyber risk. In-house counsel plays a critical role in this process. A recent Law360 article (subscription required) identified the following key things they can do:
Develop, implement, and table-top test an incident response plan
Cybercriminals are using yet another new twist on the old email phishing attack: they email people claiming to have infected porn sites with malware that allowed them to take over the recipient’s webcam and record them sitting at their computer watching porn and if they don’t pay up, the video is going public. I discuss this new method of attack in the video above and you can learn more details about how they do it in this article: Don’t Fall for This Scam Claiming You Were Recorded Watching Porn
For people who know they have never watched porn on their computers, this probably isn’t too effective. For everyone else, this threat of public shaming can be a powerful motivation to comply with the extortion demand.
This is another example of what I have often described as shame hacking, the use, or threatened use, of purportedly hacked data for embarrassing or extorting people by threatening to expose such compromising data if they do not comply with the demands made of them.