Is the 80 million stolen Social Security numbers figure quoted in this article accurate? I had no idea it was so high...that's 25% of the population of the US!
At some point, I think we just have to stop pretending that SS numbers are a secret piece of information. Maybe we should just publish them all and be done with it.
The benefit to use of SSNs is that they're assigned by a central authority which does a pretty good (though not perfect) job of ensuring that there's a 1:1 correspondence of SSN to person.
The issues of how they were to be used _other_ than by the Social Security Administration has been up in the air for a long time. I remember in college when "student identifiers" were just SSNs, and grades and other student data would be posted on office doors by Student ID (that is: SSN). That started getting phased out in the 1990s. There's the matter of the namespace -- it was kept intentionally small, and SSN exhaustion is something that will be faced eventually -- the space is sufficient for "several generations", some 450 million have been issued. The total namespace is around 890 million numbers.
The problem is that when you sign up for new services (online, financial, other), there's a desire though often not a specific need, to associated an account with a specific person. And so the SSN gets drafted to serve that purpose, as a proof of identity, not as an identifier based on other proven identity.
Don't pretend that the government is without fault here. There's plenty of tax fraud that happens using social security numbers. People can steal your tax refund or even evade taxes by pushing them onto you through your social security number. The system is messed up, and the government is largely responsible for the mess. The Social Security Administration has to same security holes.
What you describe is ideal, but it's not what actually happened. The social security number has been used as identifier and proof of identification for a long time. Part of the problem is that it's from a time when technology did not allow anything more complicated. That's no longer an excuse though. Social security numbers should have been upgraded long ago.
Precisely: identity management is a house of cards. It actually seems, at this point, completely indefensible for the credit system to rely on name, SSN and address as identifiers, since there's really no guarantee that the person who ran out on a loan over here who claimed to have that name/SSN is the same as the person over here who is applying for a mortgage who supplies the same name/SSN.
If a bank got screwed on a loan deal by someone, and all they have to claim it was youis that the person told them your name and SSN? Really, at this point, with so many SSNs leaked, how can they justify blacklisting you with a credit check bureau?
I think you're right. Publish them all. Force banks to come up with a better solution.
SSN's are not considered secret pieces of information you could easily publish all SSN's
loop{
xxx-xx-xxx//following ssn format
}
However, when they are tied in with other identifying information this is when they become unique identifiers. The more associated information that is tied to the SSN the "more secure" the mechanism of identification is. I have noticed this proposal of just not using SSN at all and incorporating something else. An alternative is the password which has been proven to not be the best case scenario as users pick easy passwords to remember. Then 2fa become popular and is becoming much easier to use. Then there were gaps in the sms or voicemail method of 2fa. My point being that no matter the mechanism put into place to uniquely identify an individual there is no silver bullet. The more layers a company adds on the better. Not to say I support HIPPA or any other archaic legislation (PCI etc) these organizations are tasked with instituting laws or guidelines that are being outdated as fast as they are implemented and are required to make it as reasonable for every entity that is covered under these laws.
Not only could you publish them in a loop, until 2011 they were not random at all. Rather, the first 3 digits behaved much like an area code - if you know where someone was born, you can pretty easily guess the first 3 digits of their SSN.
Apparently in 2011 they changed this, and now none of the numbers are significant.
So apparently there may be a loophole (info acquired from wikipedia confidence == low) The SSN wikipedia page at the very bottom mentions that SSN's used in advertising are considered invalid.
Possible solution advertise all SSN's in card format invalidate them all and force hand of government? Implausible but not improbable.
Or possibly advertise your own once it is known to be hacked...just throwing wet spaghetti at wall but there may be something that sticks.
SS Numbers are definitely becoming increasingly problematic. I don't know if public disclosure is the solution, but within the next 10 years some major changes will need to be enacted.
IMHO, these companies (and a lot of people) are pretending that social security numbers will be treating with extra care. Clearly, this is not the case.
Imagine how interesting this is going to get. You call up some bank to plead with them that you're the real you, the loan wasn't your doing, and the person you're talking to, who's disbelieving you, just spent their morning on the other end of the stick.
>Does this impact Blue Cross and Blue Shield plans not owned by Anthem?
>Yes, BlueCard members are impacted. The Blue Cross and Blue Shield Association's BlueCard is a national program that enables members of one Blue Cross and Blue Shield Plan to obtain healthcare services while traveling or living in another Blue Cross and Blue Shield Plan's service area. The program links participating healthcare providers with the independent Blue Cross and Blue Shield Plans across the country and in more than 200 countries and territories worldwide through a single electronic network for claims processing and reimbursement.
Blue Cross/Blue Shield used to be separate hospital/medical insurance providers that were in many states. In some cases (New York until recently) they were partially owned by the state.
Safeguarding your personal, financial and medical information is one of our
top priorities, and because of that, we have state-of-the-art information
security systems to protect your data. However, despite our efforts, Anthem
Blue Cross was the target of a very sophisticated external cyber attack.
These attackers gained unauthorized access to Anthem’s IT system and have
obtained personal information from our current and former members such as
their names, birthdays, medical IDs/social security numbers, street
addresses, email addresses and employment information, including income
data. Based on what we know now, there is no evidence that credit card or
medical information (such as claims, test results or diagnostic codes) were
targeted or compromised.
So yeah, safeguarding is apparently not that much of a priority.
This from a fucking company that uses an online payment system that limits your password to 8 characters.
Their email stated that they would contact those who have been breached. It appears that everyone was breached. I think that means that they will try and hide the care package (1 year of free credit monitoring) in snail mail so they don't have to pay out.
I already locked my credit and now I'm thinking it's time to freeze my credit so no one can take out new lines without me unfreezing it or increased authentication.
I am learning how this is all working, but if you think about it, it's silly to wait for a breach to have your data locked down.
You pay a one-time fee to each of the three credit bureaus. The fee varies by state (around $5-$10, may be less for seniors, usually free for identity theft victims). You can do this online.
If you need to unfreeze (eg. applying for a new credit card or a loan), you need to pay another fee per credit bureau, so you should find out which bureau will be used. You can unfreeze permanently, unfreeze for a short time period, or get an authorization code that you can give to whoever needs to check your credit report.
No, this is in the case of fraud, and then unlock it after 3 months. If you want it frozen until you rescind it, it costs $10 per bureau, but there may be an exception for fraud.
In addition to reading that, I signed up for one of those credit monitoring/protection sites. The one I chose was TransUnion, but I'm still learning about this stuff. I suggest you look around.
This may be a blessing in disguise as it seems that a deluge of phishing attacks ensued, obviously, after this announcement. Whether or not the attacks are directly attributed to leaked information or the attributed party. Be vary wary of any emails that anyone does or has received.
Anthem has stated that they will not be calling or emailing clients and you should check their site http://AnthemFacts.com for updates. (why that site is not protected by ssl I have no idea)
If you do get contacted personally it's a safe bet it's a phishing attack.
Our Company is affected and all our interaction has been through HR. I would contact your HR department.
Anthem will not be emailing individuals, but apparently will be sending a snail-mail packet of information including an offer for credit-monitoring services. And they have been contacting, via email, the benefits/HR people of client companies which used Anthem for group health plans for their employees.
(that all comes via my employer, which has been sending me updates about this)
That site is strange - they have a big box saying that no medical or credit card data was compromised, then buried in the body text we find out that "These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. "
CC numbers are far less important than any of those identifiers - unlike your SSN or address, they're easy to change. Someone with all that info can just apply for their own CC or loan in your name...
Anthem said they wouldn't be sending emails, so that may have been a scam:
"Members who may have been impacted by the cyber attack against Anthem, should be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as "phishing") are designed to appear as if they are from Anthem and the emails include a "click here" link for credit monitoring. These emails are NOT from Anthem."
got notified twice by anthem (email) and once by company (hr got contacted by anthem) but they still havent confirmed if my data has been disclosed (obviously, i suppose it has)
As long as U.S. laws fail to impose significant costs for data security breaches, we can expect companies to treat the costs of these breaches as the cost of doing business--just as they do with litigation costs for faulty automobile parts, manufacturing pollution, and the like.
Any such law would be used to squash small businesses while larger ones are largely given a pass (even a fine large enough to sting will only sting). See the difference between dealing with known drug money as an individual vs. as a bank.
Then tie it to the company size, or make it big but limit it according to some factor (As far as I remember, here in Germany it limited by a percentage of revenue). And/or add personal liability for people having oversight over this, of course also within limits.
In Massachusetts, 201 CMR 17.00 sets a $5000 per violation fine for losing personal information. The law itself is poorly written, so it's unclear if a violation is per individual, or per incident. I would love to see it enforced per individual, and for our AG to go after and destroy Anthem, and all the other companies that keep getting away with this.
If enough companies are destroyed, eventually they will start taking security seriously.
It is. HIPAA should destroy these jerks. The problem is that they are stating that no health data was actually lost... just the part of the health data that identifies you and can be used to ruin your credit.
Since that part of the data should be the most locked down, it seems like a complete lie to me. I think the health info was compromised completely.
I would bet that they store SSN and MRN in the same table. Since the personally identifiable information (patient demographics) is the foreign key for the patient data, it seems likely that everything is compromised.
One way to have not allowed this is to force the database to restrict queries to use two pieces of information in the where clause. This means that they would have to search for name = "John Smith" and MRN = "xyz". This would prevent mass queries and database dumps.
Having the ID - SSN or MRN - isn't the same as having the patient's full medical records. It'd be entirely possible for a system to have the IDs and not the data - a billing system, perhaps. It all depends on the nature of the compromise.
The argument I'm trying to make is that if someone compromises SSNs, which are used to authorize patients, it's very likely that they have also compromised MRN since MRN is what most healthcare applications use internally as the identifier for patient data.
In the case that they stored SSN and MRN together, which I believe is highly likely, the attackers also gained access to the MRN.
If the most highly protected data demographic data (the name and identifying information about the individual patient) is unencrypted and easily compromised, I believe that patient data was very likely compromised as well.
It is possible, however, that the attackers were only after information that could be used to commit identity theft so they may have ignored the health information, however, this does not mean that the health information was properly protected.
I'm not sure that it's a settled matter that HIPAA doesn't apply in this case. PHI includes demographic information which would seem to apply here just based on what we already know has been leaked.
for i worked in several similar companies, indeed, its extremely rare that such data is well protected.
it works under the assumption that if its not been broken into until now then its safe enough.
obviously that's broken logic since..
- you're not compromised by default/when the business starts
- when you're compromised, you probably don't even know it. you might find out in a few years if lucky.
I doubt Google-esque companies would store a users table with foreign keys to social security numbers, street addresses and phone numbers unencrypted (FDE does not count as it's for hardware loss, not data loss) or at least without some kind of base-level ACL, but I would love to be surprised.
Much of the data I presume that Google deals with is not sensitive enough to warrant the kinds of encryption that a health provider company should use. My search data and even my Google+/YouTube/Gmail accounts are enough to tie them to my person, but not my identity. I, or someone masquerading as me, cannot open a line of credit with my Google account at a bank.
