
Anthem Breach May Have Started in April 2014 - wglb
http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/
======
mattlong
Is the 80 million stolen Social Security numbers figure quoted in this article
accurate? I had no idea it was so high...that's 25% of the population of the
US!

~~~
aero142
At some point, I think we just have to stop pretending that SS numbers are a
secret piece of information. Maybe we should just publish them all and be done
with it.

~~~
dredmorbius
SSNs are _identifiers_ but not _authenticators_.

The _benefit_ to use of SSNs is that they're assigned by a central authority
which does a pretty good (though not perfect) job of ensuring that there's a
1:1 correspondence of SSN to person.

The issues of how they were to be used _other_ than by the Social Security
Administration has been up in the air for a long time. I remember in college
when "student identifiers" were just SSNs, and grades and other student data
would be posted on office doors by Student ID (that is: SSN). That started
getting phased out in the 1990s. There's the matter of the namespace -- it was
kept intentionally small, and SSN exhaustion is something that will be faced
eventually -- the space is sufficient for "several generations", some 450
million have been issued. The total namespace is around 890 million numbers.

The problem is that when you sign up for new services (online, financial,
other), there's a _desire_ though often not a specific _need_ , to associated
an _account_ with a specific _person_. And so the SSN gets drafted to serve
that purpose, as a _proof_ of identity, not as an _identifier_ based on
_other_ proven identity.

It's a misuse of the identifier

~~~
CeramicTeapot
Don't pretend that the government is without fault here. There's plenty of tax
fraud that happens using social security numbers. People can steal your tax
refund or even evade taxes by pushing them onto you through your social
security number. The system is messed up, and the government is largely
responsible for the mess. The Social Security Administration has to same
security holes.

What you describe is ideal, but it's not what actually happened. The social
security number has been used as identifier and proof of identification for a
long time. Part of the problem is that it's from a time when technology did
not allow anything more complicated. That's no longer an excuse though. Social
security numbers should have been upgraded long ago.

------
revisionzero
Does anyone know why Anthem's clients have not been notified, at all, yet?

I am part of Anthem and I have heard literally nothing directly about this,
it's all been through news/tech sites.

~~~
zaphar
Anthem has stated that they will not be calling or emailing clients and you
should check their site [http://AnthemFacts.com](http://AnthemFacts.com) for
updates. (why that site is not protected by ssl I have no idea)

If you do get contacted personally it's a safe bet it's a phishing attack.

Our Company is affected and all our interaction has been through HR. I would
contact your HR department.

~~~
ubernostrum
Well, you need to correct this a bit.

Anthem will not be emailing individuals, but apparently _will_ be sending a
snail-mail packet of information including an offer for credit-monitoring
services. And they have been contacting, via email, the benefits/HR people of
client _companies_ which used Anthem for group health plans for their
employees.

(that all comes via my employer, which has been sending me updates about this)

------
jfc
As long as U.S. laws fail to impose significant costs for data security
breaches, we can expect companies to treat the costs of these breaches as the
cost of doing business--just as they do with litigation costs for faulty
automobile parts, manufacturing pollution, and the like.

~~~
zobzu
even in tech companies (even Google) security is handle like that

~~~
uxp
I doubt Google-esque companies would store a users table with foreign keys to
social security numbers, street addresses and phone numbers unencrypted (FDE
does not count as it's for hardware loss, not data loss) or at least without
some kind of base-level ACL, but I would love to be surprised.

Much of the data I presume that Google deals with is not sensitive enough to
warrant the kinds of encryption that a health provider company should use. My
search data and even my Google+/YouTube/Gmail accounts are enough to tie them
to my person, but not my identity. I, or someone masquerading as me, cannot
open a line of credit with my Google account at a bank.

~~~
nowarninglabel
Eh there was a story about Google leak of SSN a few years back on HN. I'll see
if I can dig it up. I'm sure they've learned since then of course.

Edit: This wasn't it, but interesting nonetheless:
[https://news.ycombinator.com/item?id=2254394](https://news.ycombinator.com/item?id=2254394)

