Excellus BlueCross Hacked, Over 10 Million Records at Risk

By   ISBuzz Team
Writer , Information Security Buzz | Sep 15, 2015 08:00 pm PST

Security experts from VASCO, Spikes Security and STEALTHbits commented on the latest hack of health insurer excellus that may have exposed 10M personal records.

[su_note note_color=”#ffffcc” text_color=”#00000″]John Gunn, VP of Communications, VASCO Data Security International :

“It is simple economics – hackers are attacking targets with highest value assets; retailers for payment cards, banks for funds, and healthcare organizations for social security numbers. Healthcare organizations are lagging behind and unless they greatly increase their investment in the people and security solutions necessary to protect their assets, they will remain the target of choice for criminals.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Franklyn Jones, CMO, Spikes Security :

“On one hand, it’s frightening to think that Excellus is just discovering an attack that first infected their network two years ago. On the other hand, this is just the latest example of an advanced targeted attack that is simply undetectable, despite the significant investments Excellus no doubt made in building a strong security architecture.  The root cause of the Excellus breach can likely be traced to the failure of legacy security technologies, which all rely on some form of detection technology to try to identify and block these attacks.  It’s painfully obvious that these products simply don’t work.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Jeff Hill, Channel Marketing Manager, STEALTHbits :

“The most compelling element of this episode is the 20 months it took Excellus to discover the breach and put a stop to it.  Twenty months exceeds the average breach discovery time – about 200 days – but in Excellus’ defense, it beats the over 5 years hackers ran wild on the newswire services’ networks before being discovered by the SEC, not internal IT systems.  Gone are the days of smash-and-grab operations executed by impetuous, immature hackers. Of the newest weapons and tactics being deployed by today’s attackers, patience may be the most dangerous development.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Elad Sharf, Security Research Manager, Performanta ltd :

“The healthcare industry has suffered yet another catastrophic data breach. Once again millions of customer records have been put at risk, this time belonging to Excellus BlueCross BlueShield members.  No further proof is needed, we have entered a new phase in cyber-aggression where hackers have realised the true value of user data. Malicious actors are continually harnessing the growing availability of malware tool-kits on the black market to pursue their nefarious goals.

Excellus BlueCross BlueShield have hired a forensic auditor to check for data breaches, but the fact remains that this data breach was believed to have happened in 2013, leaving their members vulnerable for over two years. All companies should perform regular cyber security audits to ensure they are not currently at risk. In the modern cyber-security environment, companies should adopt an assume breach mentality where they assume a hack like this could and will occur and take steps to regularly evaluate their security posture. The additional increase of ‘localised data’ stemming from targeted attacks also requires a closer on-going relationship with a qualified security team to surface such attacks earlier. Companies that fail to do this will risk massive losses in consumer trust and revenue as many healthcare providers have begun to experience.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of Security and Product Management at Tripwire :

“In nearly every breach, the first headline is just the tip of the iceberg and we learn of more compromised records after the investigation has moved forward. I would expect no less in this case.

Healthcare seems to have run into a breach nexus. It’s clear that this industry has been targeted successfully.

Every organization that stores personal health information should be put on notice: you are at high risk of already being compromised. If you think your systems are secure, you can easily be wrong. Many other healthcare that have recently been breached also thought they were secure.

The sheer number of compromised records, records of American citizens, should put cybersecurity on the list of presidential debate topics for this election cycle. The candidates need to understand how these events affect people’s safety, and our economy.”[/su_note]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x