The student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders’ personal information. The website is one of the largest insurance providers specializing in providing health insurance to students while traveling or studying abroad in another country. The website Guard.me was taken down after suspicious activities found on the website and visitors are automatically diverted to the maintenance page.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>For most people, the information contained in their health insurance is incredibly sensitive. This is the kind of information that can be used for significantly more than just the normal breach information, so it is good that the company is trying to get ahead of it.</p> <p> </p> <p>In the end, managing access according to the least privileged model and using a privileged account management (PAM) system would likely have stopped this breach from happening. Remember: you can only leak, or brerach information that you have access to. </p> <p> </p> <p>It is safe to assume that excessive access was a component of the Guard.me breach. Hopefully, they have implemented a least privileged model and a new PAM system, or even better, a Zero Standing Privilege based system. Likely they have. Hopefully, others will take note.</p> <p> </p> <p>Remember, we are just at the start of what can be expected to be a large number of data breaches that are being identified. Security has simply not been a focus during the pandemic, and simple enablement took its place. It\’s time for security to move back to the forefront so that breaches like these do not happen.</p>
<p>Personally identifiable information (PII) and personal health information are becoming increasingly valuable, but many data healthcare operators are struggling to protect sensitive information effectively and maintain regulatory compliance. The security challenge lies in securing data that is being stored in different locations (often in multiple copies) and accessed through various applications. However, we may be seeing a shift in approaches from ‘secure the technology’ to ‘secure the data,’ which will reduce the threat of data loss and exposure when—and not if—a cyber-attack happens.</p> <p> </p> <p>While no sure-fire way exists to prevent attackers from getting access to an enterprise network environment, organizations can leverage data security solutions that protect valuable customer information instead of the environment around that data. Being able not only to protect passwords and perimeters but also to secure personal, sensitive data itself drastically reduces the risk of misuse of data and the resultant reputational damage. Companies should look to deploy data-centric methods such as tokenization or format-preserving encryption to protect the privacy of their customers. A sophisticated data protection architecture doesn’t care where the data is stored, whether in motion or at rest, or whether that data is on-premise or in multi-cloud environments. The objective is to protect sensitive data itself at its earliest point of entry, and allow de-protection only when necessary and only for applications and users with the right permissions. The best part about tokenization is that, because it preserves data structure, it can still be used by applications without de-protection, increasing its value to the organization.</p>