Sue Marquette Paremba takes the media out to the wood shed for reporting on breaches in ways that repeat false claims of “sophisticated” attacks and that may leave us thinking that there’s nothing we can do to protect ourselves or better secure data we are responsible for:
Some media outlets called last month’s data breach at health-insurance company Anthem, which resulted in the theft of highly sensitive personal information pertaining to up to 80 million people, a “sophisticated attack.” However, later reports showed that weak authentication had let hackers into the database, and that a lack of proper encryption had allowed the personal information to be shared.
In a similar breach in 2014 at Community Health Systems, the company said the attackers “used highly sophisticated malware and technology.” It turned out the hackers had actually exploited the simple, very fixable Heartbleed bug, which had been widely known for months.
Read more on Tom’s Guide.
I hope more journalists covering breaches in the mainstream media read Sue’s article.
Yep, most are a crock. I see alot of password re-use, a simple spear-phishing attack, a social engineering method – all common style attacks that work without much effort on the crook’s side.
On the good side – insecure security practices, lack of attention to detail, failure to follow standard operating procedures – or the lack of having them, insider threats and the list goes on.
Another thing that has always bothered me is the lax attitude about “taking security seriously”. Most companies will ride that gravy train until something happens. Then, when an incident occurs, they will try to rely on any insurance plans to help bail them out.
With Anthem, Old habits die hard. They have had at least one other reported breach in the past. So they change their name and try again, in hopes that all will get better over time, Again, old habits die hard and they get breached again. Somehow, I think this is not the end of their data breach demise. I personally don’t see the issue getting better at all. I don’t see Anthem hiring any IT security pros to protect the data they have been responsible for. So, instead they will have some agency come in, speak greek to the untrained stafff, and the agency will leave, while the clueless remain. The Anthem crew breach issue continues to this day. They apparently have little answers to big issues and do not have a simple SOP for the cannon fodder manning the complaint lines. I am sure they are crosing fingers and for another epic breach so they can be – pun intended – “#2” on the list.