NY Health Insurer Hacked, Over 10M Possibly Affected

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
If you have insurance through Excellus BlueCross BlueShield of New York, I have bad news for you. :(

The Rochester-based insurer said it and its affiliates had been the target of a sophisticated cyber attack and that it was taking steps to address the situation and offering free identity theft protection services to those affected. Excellus said it learned of the cyber attack on Aug. 5 from experts it had hired to perform a forensic assessment of its computer systems following hacking attacks on other health insurers. A subsequent investigation found that the initial hack occurred in December of 2013.
 
These companies seem to think the offering of free credit monitoring is enough to say "Sorry for potentially fucking up your life forever".

I think it's about time there are laws that say it ain't so.

Like, put some CEO's and CTO's in jail for a bit. That will get the point across about having insecure networks.
 
The term "healthcare" in modern America is an oxymoron. It's not healthy, more like a large leech sucking the lifeblood from the working citizen. There is no care either, except by individual doctors and nurses whom the corp has disemboweled. Thanks to all the traitorous pols who made sure the insurance industry got a cash cow delivered to them that makes the auto insurance cash cow look like an ant. Whoever said "the only good politician is found at the end of a rope" sure got it right.
 
Steve said:
A subsequent investigation found that the initial hack occurred in December of 2013.[/I]
Click to expand...

I find it disturbing that their entire IT network could not find this out without hiring experts. I get finding traces is difficult, but isn't that part of the network security job title?
 
TheSoldier said:
I find it disturbing that their entire IT network could not find this out without hiring experts. I get finding traces is difficult, but isn't that part of the network security job title?
Click to expand...

Last ISSA meeting I went to we had a security specialist with some numbers tell us that the majority of companies only learn they've been breached after being breached for 3-6 months..If that's any indication of how difficult it is..
 
m33pm33p said:
Last ISSA meeting I went to we had a security specialist with some numbers tell us that the majority of companies only learn they've been breached after being breached for 3-6 months..If that's any indication of how difficult it is..
Click to expand...

I know that it is extremely difficult to find the point of intrusion in a massive network. I just find it wrong that my data is being FORCED into the hands of inept companies. The government can make a law requiring me to give them this data, but refuses to make it a law to protect it.

In a slightly personal example, my credit is being monitored from three different companies right now because three separate businesses lost my data. I wouldn't be surprised if my SSN is public by now.
 
And it continues to get worse.
The Public Internet is a Public Park.
Its not built for security and no one in Power really gives a shit about your life much less your data.
 
TechLarry said:
These companies seem to think the offering of free credit monitoring is enough to say "Sorry for potentially fucking up your life forever".

I think it's about time there are laws that say it ain't so.

Like, put some CEO's and CTO's in jail for a bit. That will get the point across about having insecure networks.
Click to expand...

Fine fine, but that isn't the direction the government took. Instead the government has offered these companies protection against civil claims for damages. You can't sue them, not even a class action. As long as they sign up under the SAFE Act, meet Federal IA Security Guidlines, and allow the Feds to run Security Scans against their systems, they are safe from civil court actions.
 
TheSoldier said:
I find it disturbing that their entire IT network could not find this out without hiring experts. I get finding traces is difficult, but isn't that part of the network security job title?
Click to expand...

Most of the time all that is done is scans of systems to check for vulnerabilities, known vulnerabilities. Unless something else comes up, like several hundred customers reporting that their identies are being attacked, a company may not even look to see if there exists evidence of intrusion. In some cases you have good security guys who check the logs and look for such evidence. Some companys will pay for forensic software to search for this and it's much better then manual searches. But those are rare, and now that companys have immunity from legal redress in the case of a hack, it's all a moot point. Only an extremely ethical company which places great value on the perseption that they are safe beyond reproach would feel compelled to take extra measures to ensure the fidelity of their systems security.
 
TechLarry said:
These companies seem to think the offering of free credit monitoring is enough to say "Sorry for potentially fucking up your life forever".

I think it's about time there are laws that say it ain't so.

Like, put some CEO's and CTO's in jail for a bit. That will get the point across about having insecure networks.
Click to expand...

That'll never happen. They're too rich and powerful to jail.
 
OEM said:
That'll never happen. They're too rich and powerful to jail.
Click to expand...

Not true at all. Had a similar discussion the other day, someone said something similar and it was child's play to google dozens of fat rich kats and senators and governors that have been arrested, jailed, charged, and generally shit upon by the man.

The reason nothing will happen is because of what I just posted. They have gotten the federal government to protect them as long as they adhere to government information assurance guidance. They also can't be sued if they let the feds have your personal information as long as they can show that it is related to a security breach.
 
lcpiper said:
Not true at all. Had a similar discussion the other day, someone said something similar and it was child's play to google dozens of fat rich kats and senators and governors that have been arrested, jailed, charged, and generally shit upon by the man.

The reason nothing will happen is because of what I just posted. They have gotten the federal government to protect them as long as they adhere to government information assurance guidance. They also can't be sued if they let the feds have your personal information as long as they can show that it is related to a security breach.
Click to expand...

I was being slightly sarcastic as I know there have been some that were charged and jailed...but not as many as there should have been.
 
Oh I'll agree with that even if just because we both know so many just don't think the rules apply to them, not them, they are too special.
 
So now we will live in the stone age and only allow databases to store a limit number and divide the millions of names in one chunk on one server. That is backwards but would protect the vast amount of damage.
 
TheSoldier said:
I find it disturbing that their entire IT network could not find this out without hiring experts. I get finding traces is difficult, but isn't that part of the network security job title?
Click to expand...
I don't know about every other company's IT dept, but most companies I've worked in hire the cheapest labor they can. That means the dumbest 'computer professionals' that come out of school. And I'm sure there are a lot of other companies just like these. Most don't do what they should; we know that. Look at most departments, and you'll see a bunch of Wally like guys walking around, trying to do as little work as possible. Something doesn't work? OK, here's your service ticket number, somebody will be down to exchange your device for a new one tomorrow, and we'll just toss the old one in the junk pile because we can't be bothered to even blow the dust out of it. That's what it's like for most of us. And god forbid somebody who knows what to do actually fixes a problem, because that's a breach of security to open up and work on the device that belongs to the IT dept. So nothing works right, nothing is secure, and we pay a fortune for it all, which ends up paying dividends to whoever invested in the stuff that gets purchased to replace things that don't need to be replaced.
 
nightfly said:
I don't know about every other company's IT dept, but most companies I've worked in hire the cheapest labor they can. That means the dumbest 'computer professionals' that come out of school. And I'm sure there are a lot of other companies just like these. Most don't do what they should; we know that. Look at most departments, and you'll see a bunch of Wally like guys walking around, trying to do as little work as possible. Something doesn't work? OK, here's your service ticket number, somebody will be down to exchange your device for a new one tomorrow, and we'll just toss the old one in the junk pile because we can't be bothered to even blow the dust out of it. That's what it's like for most of us. And god forbid somebody who knows what to do actually fixes a problem, because that's a breach of security to open up and work on the device that belongs to the IT dept. So nothing works right, nothing is secure, and we pay a fortune for it all, which ends up paying dividends to whoever invested in the stuff that gets purchased to replace things that don't need to be replaced.
Click to expand...

This is the truth.
Schedule some meeting to talk about it...
A working lunch break sounds perfect.
 
You must log in or register to reply here.
Back
Top