As with most data breaches involving theft of personal information, especially the type that have the potential to exploit a single point of failure (otherwise known as your SSN) the affected company needs to offer credit protection and credit monitoring for a period of time. I sure hope Anthem has good re-insurance. By one account (http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-di...) it seems they were storing SSNs in the clear, which is probably akin to begging for something like this to happen in this day and age.
It seems like every 2 or 3 months there is data-breach in the news and a bunch of plain-text info is stolen. And ever-time I am inclined to imagine the companies storing in plain-text would think "oh we should change something about this"
But then it happens again 2 or 3 months later anyways ...
Before we go to encryption, let's talk about all the SSN you put on paper you file for bank, government, employment. That's right. They are all in clear. Whatever you sent to your employer over email (rather than fax) are still in clear.
A lot of these attacks are trojan already breached the network and insider attacker. The latter is often due to infection (e.g. USB, browsing problematic website). Encrypting file, encrypting SSN field is not a full solution but is definitely a really good solution.
Tax and Identity Fraud are not anything new - but the way they are accomplished has changed significantly.
Sure you can physically intercept mail - but there is a huge difference in magnitude. I wager you could not in any practical way intercept millions (or even thousands) of paper records without being traced.
That's why these poorly protected digital records are such a gold mine.
What surprises me most is that the US doesn't seem to have the same law as here in Canada. Here, pretty much only the bank, government, or your employer can ask for your social as that's the law. Plus, they don't send it in the clear on-line. You'll get receipts either from a secure Web site or physically mailed to your address.
Decryption can require several servers to participate rather than one - don't allow for a privileged user on one server to have an easy path way to access and escalate on another server.
From the way it looks, the security precautions they are failing at are so trivial that most developers probably have more secure personal servers / computers.
