
Premera has been the target of a cyberattack - sorahn
http://premeraupdate.com/
======
shitlord
Was the attack _actually_ sophisticated? Usually, when megacorporations get
pwned, the attack is not sophisticated at all, but they pretend it is (for PR
reasons). This page doesn't tell us much about the nature of the attack, which
is understandable. And as for what was compromised... almost everything of
value?

Given that this is an insurance company, I imagine the attackers were either
criminals (who wanted to steal this information for identity theft), or state-
sponsored attackers (who would want this information for HUMINT reasons, such
as verifying identities or determining good targets).

~~~
Mandatum
We won't get any technical details. The fact that this was pulled off and the
initial compromise was a year ago means they've got no alarm bells for someone
dumping the DB.

It's negligence at it's finest. Here's to hoping for class-action. 2 years
free "identity theft protection" (which is useless to consumers until post-
theft) and credit-report monitoring (which is free to them, and again only
comes up post-theft) is pretty bullsh*t.

Roll some heads and hand out fines.

~~~
jambo
I wrote my state insurance department because I was so annoyed by the paucity
of information in Anthem's disclosure.
[https://gist.github.com/paulhenrich/d1015fff356d037dc41d](https://gist.github.com/paulhenrich/d1015fff356d037dc41d)

~~~
Mandatum
I'm interested in seeing their reply. Will check back, please update your git
once you receive one.

~~~
jambo
Will do.

------
y-satellite
This follows a recent breach at Anthem, another Blue Cross health insurance
company: [https://www.anthemfacts.com/](https://www.anthemfacts.com/)

Edit: Actually, based on that site and this article
([http://abcnews.go.com/Technology/wireStory/premera-blue-
cros...](http://abcnews.go.com/Technology/wireStory/premera-blue-cross-data-
breach-affect-11m-people-29705515)) the breaches were both discovered on Jan
29.

~~~
bigiain
Surely that's more than a coincidence?

29th Jan, the "cyberattack"wording, Mandiant...

------
joe_the_user
So what happens when more than 50% of the US population has their semi-private
data spilled out into the open?

We're get closer to a day when there will be collated a single text file with
name, dob, address, SSN, ID#, and maybe ccn for hundreds of millions of
people. It will just float around the net ready for use/abuse.

What happens? A quick move to biometrics? Ignore it and hope it goes stale?

Right now Chase keeps dubious stuff from happening by requiring text
confirmation for all my "out of pattern" purchases but that's kind of clunky.

~~~
ams6110
I would guess that the PII of close to 100% of anyone who has ever done
business with any financial services or insurance company has been
compromised. We have to get to a point where this information is just assumed
to be public and not valid for identity purposes.

------
jld
"Our investigation determined that the attackers may have gained unauthorized
access to applicants and members’ information, which could include member
name, date of birth, email address, address, telephone number, Social Security
number, member identification numbers, bank account information, and claims
information, including clinical information."

Then, of course, "The security of our members’ personal information is a top
priority."

~~~
ChuckMcM
One wonders if the attackers could generate a massive number of medicare
invoices that paid out to a bogus company which transferred all of the
deposits off shore.

------
thanatosmin
So they waited 7 weeks before informing their customers? That's unacceptable.
I wonder how many other blue cross companies were affected and we simply
haven't been told yet.

~~~
oasisbob
I thought the same thing. WA's insurance commissioner doesn't sound happy
about it either:

[http://blog.seattlepi.com/boomerconsumer/2015/03/17/insuranc...](http://blog.seattlepi.com/boomerconsumer/2015/03/17/insurance-
commissioner-offers-comments-on-premera-cyberattack/)

I called to ask about it, and was told that they were following the
recommendations of Mandiant and the FBI; that they may put consumers at more
risk if they announced prior to remediating their systems.

It's an interesting point of distinction, as Washington state law requires
disclosure "in the most expedient time possible ... The notification required
by this section may be delayed if a law enforcement agency determines that the
notification will impede a criminal investigation."

[http://apps.leg.wa.gov/rcw/default.aspx?cite=19.255.010](http://apps.leg.wa.gov/rcw/default.aspx?cite=19.255.010)

Perhaps the call center scripts weren't nailed down yet - but they sure didn't
mention an ongoing investigation as the reason for the delay.

------
calvin
Does it bother anyone else that this site isn't on HTTPS and doesn't provide
identity information?

~~~
Dublum
yes, though it's probably worth noting that a video of their CEO talking about
it is probably pretty hard to fake

~~~
dublinben
As far as I know, that guy is an actor.

~~~
niels_olson
Let's assume he's an actor and DNS is poisoned. Clearly this is intended to
reach a wide audience. Presumably, the real CEO would learn of the fraud
shortly. Let's say that takes a few hours. The corrected DNS will take 4 hours
to propagate. So, how many people will sign up for fraud protection in
between?

If I was designing an attack, a high visibility, low persistence attack where
I send my victims to a website not under my control (unless you're asserting
the attackers also got control of protectmyid.com) would not be my first
choice, especially if I'm spending the money it took to shoot that video and
stream it to all the people who you ostensibly want to see it.

~~~
scott_karana
> The corrected DNS will take 4 hours to propagate.

This misconception bothers me a lot. DNS changes are complicated: there's no
"n" where "n = the amount of time where any domain will magically be fixed".

"Propagation" is based on the configured TTL values of the specific DNS
records requested, for the specific zone. Add in layers of
application/OS/intranet/ISP/DNS provider caching, and it's a complicated
nightmare to fix/predict reactively.

Most BIND9 installations use 86400 seconds by default: _24_ hours. And some
domains use more, some less, some have dynamically generated TTLs to simulate
changing of records at a set/recurring wall clock time, instead of a time to
live, some DNS caches are reset frequently, some caches retain values much
longer than allowable by TTL...

~~~
niels_olson
Yes, I have configured BIND before. True, true, and still, most of the time,
in my humble, limited experience, it will clear in well under 4 hours.

