:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/45634658/462788328.0.jpg)
- Major health insurer Anthem experienced a "very sophisticated external cyberattack" that may have exposed as many as 80 million customers' personal information, the company said late Wednesday.
- Hackers first broke into Anthem's data on December 10. The company noticed the suspicious activity January 27.
- The culprits behind the Anthem hack is currently unknown, although Bloomberg reported Thursday that the attack had "signs" of Chinese attackers.
Anthem is the latest in a string of large cyberattacks
The Anthem hack comes on the heels of a separate attack on Sony Pictures Entertainment, a major Hollywood movie studio. The Sony attackers, widely believed to be supported by the North Korean government, stole a huge number of confidential documents and posted them for downloading on file sharing networks.
Target and Home Depot also experienced major hacking attacks in the last couple of years, with the attacks stealing tens of millions of customers names, emails, and phone numbers.
Hackers spent six weeks accessing Anthem's databases before the company noticed
Hackers began attacking Anthem as early as December 10 but the company only became aware of the suspicious activity nearly six weeks later, on January 27, the Los Angeles Times has reported.
"Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation," Anthem chief executive Joe Swedish wrote in a statement posted online Wednesday. "Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape."
Anthem says it has not yet identified the attacker, but Bloomberg reported Thursday that investigators on the hack "are pursuing evidence that points to Chinese state-sponsored hackers who are stealing personal information from health-care companies for purposes other than pure profit."
The Los Angeles Times interviewed cybersecurity experts who were critical of Anthem's decision to leave much of its' consumers' data unencrypted, saying that left the company vulnerable to exactly this type of attack.
"It is irresponsible for businesses not to encrypt the data," said Trent Telford, chief executive of Covata, a data security firm in Reston, Va, told the Times. "We have to assume the thieves are either in the house or are going to break in. They will always build a taller ladder to climb over your perimeter security."
Anthem has previously struggled with security issues
This isn't the major health insurer's first security breach. A handful of incidents have exposed subscribers' information in recent years:
- Anthem (then known by its old name, Wellpoint) paid a $1.7 million settlement in July 2013 after the federal government charged the company with leaving 612,402 members information "accessible to unauthorized individuals over the internet."
- In 2012, Anthem paid $150,000 to settle a lawsuit, brought by California Attorney General Kamala Harris, that charged the company with exposing as many as 33,000 members' Social Security numbers in documents sent through the mail.
- Anthem sent an unknown number of members a warning about a possible data breach in October 2013.
