Investigators Eye China in Anthem Hack: Breach Could Be Part of Spying Campaign, Not Identity Theft

The Wall Street Journal

Investigators Eye China in Anthem Hack

Breach Could Be Part of Spying Campaign, Not Identity Theft

By Danny Yadron
Feb. 5, 2015 3:19 p.m. ET

Investigators see links to China as they probe a data breach in which tens of millions of Social Security numbers were taken from Anthem Inc., the second largest U.S. health insurer.

The probe, which includes teams from the Federal Bureau of Investigation and FireEye Inc., remains in its early stages. Anthem discovered the incident last week.

But people close to the investigation say some of the software and techniques used are similar to tools used almost exclusively in attacks linked to China. The malicious code is part of a software family researchers call “Sakula,” which has been linked to China in the past, they said.

The hackers appear to be after personal information, such as Social Security numbers, and not financial information, like credit cards. Anthem said credit-card information, and medical information, weren’t at risk from the hack, in which 80 million customer records were exposed.

Last year, Community Health Systems Inc. blamed China for an intrusion that captured Social Security numbers and other personal data for 4.5 million people. U.S. officials also linked China to the theft of employment records from the Office of Personnel Management.

In those cases, none of the records were found for sale online. Anthem officials have said they haven’t seen any of their customers’ information for sale online.

Hacking experts and former U.S. officials say they have no evidence that China’s cyberwarriors try to monetize the personal data they steal. Rather, these former officials suspect China seeks information to find details on specific intelligence targets.

By contrast, credit-card numbers stolen from Target Inc. in 2013 and Home Depot in 2014 appeared on the black market almost instantly. Those attacks were linked to Russian-speaking hackers.
Former U.S. officials said it is certainly possible Chinese hackers could try to sell the data as well.
The Chinese embassy in Washington didn’t immediately respond to a request for comment.
News that investigators were looking at China was previously reported by Bloomberg News.
Write to Danny Yadron at
the wall street journal

Health Insurer Anthem Hit by Hackers

Breach Gets Away With Names, Social Security Numbers of Customers, Employees

The database of health insurer Anthem Inc., containing personal information for about 80 million customers and employees, has been hacked. WSJ’s Stefanie Ilgenfritz reports. Photo: AP

By Anna Wilde Mathews
Updated Feb. 4, 2015 9:39 p.m. ET

Anthem Inc., the country’s second-biggest health insurer, said hackers broke into a database containing personal information for about 80 million of its customers and employees in what is likely to be the largest data breach disclosed by a health-care company.

Investigators are still determining the extent of the incursion, which was discovered last week, and Anthem said it is likely that “tens of millions” of records were stolen. The health insurer said the breach exposed names, birthdays, addresses and Social Security numbers but doesn’t appear to involve medical information or financial details such as credit-card or bank-account numbers, nor are there signs the data are being sold on the black market.

Anthem, which offers Blue Cross Blue Shield plans in California, New York and other states, said it doesn’t know precisely how many people may be affected. So far, it appears that the attack detected last week is the only breach of Anthem’s systems, and it isn’t yet clear how the hackers were able to obtain the identification information needed to access the database said Thomas Miller, the insurer’s chief information officer. The insurer said it would reach out to everyone whose information was stored in the hacked database with a letter and, where possible, email. It is also setting up an informational website and will offer to provide a credit-monitoring service.
Its decision to reveal the attack days after its discovery, even as the investigation is getting under way, may signal a changing attitude among corporate executives about rapid disclosures in the wake of breaches of companies including Target Corp. , Home Depot Inc. and Sony Pictures Entertainment Inc.

Anthem detected the breach itself, which puts it in the minority among companies subject to such attacks, and “organizations don’t typically provide notification this early on,” said David Damato, managing director at FireEye Inc., owner of cybersecurity unit Mandiant, which Anthem has hired to investigate.

ENLARGE When hackers intruded on servers at J.P. Morgan Chase & Co. this summer, the incident was reported by media outlets weeks after the bank had learned there was an issue. The bank has said previously that only contact information was compromised and it has seen no fraud associated with the event. Anthem’s Mr. Miller said the company wanted “to share the information as soon as possible.” Federal law requires health-care companies to inform consumers and regulators when they suffer a data breach involving personally identifiable information, but they have as many as 60 days after the discovery of an attack to report it. Anthem, based in Indianapolis and formerly known as WellPoint, covers around 37.5 million people. The hacked database included information for some current and former customers as well as its own employees; it also held medical and financial details, but the insurer said those details don’t appear to be included in the data stolen by the hackers. The Anthem incident could rank among the largest of recent attacks. The J.P. Morgan breach compromised contact information for about 76 million households. Home Depot has said 56 million credit-card accounts were compromised, and 53 million customer email addresses stolen. Target’s cyberattack affected 40 million payment cards. Both retailers offered credit monitoring after the fact and banks typically reimburse consumers for fraudulent charges resulting from a data breach. Anthem, which offers Blue Cross Blue Shield plans in California, New York and other states, said it is likely that ‘tens of millions’ of records were stolen. Daniel Nutkis, chief executive of the Health Information Trust Alliance, a nonprofit that helps health-care companies with computer security, said the largest previously known hacker theft from a health-care company was last year’s intrusion at hospital operator Community Health Systems Inc., which involved records on 4.5 million consumers. In that case, the company said it regretted the breach and pointed to a group originating from China for the attack. Much of the sector remains vulnerable, and few have the ability to detect and respond to an attack as Anthem has, he said, though the alliance has already started warning other health-care companies about what happened to the big insurer.Mr. Damato, of FireEye, said the firm has seen more cyber attacks specifically targeting health-care concerns. Health companies often hold rich stores of consumer data, including sensitive details of people’s prescriptions, care and illnesses. He said the Anthem attack was “sophisticated” and used techniques that appeared to have been customized, rather than broadly available tools, and were “very advanced.” Investigators haven’t yet concluded who was behind the Anthem breach. Community Health Systems, for one, said it believed its incursion originated in China. Anthem’s Mr. Miller said the first sign of the attack came in the middle of last week, when a systems administrator noticed that a database query was being run using his identifier code although he hadn’t initiated it. Anthem quickly determined that an attack had occurred, he said, informed the Federal Bureau of Investigation and hired Mandiant. Investigators tracked the hacked data to an outside Web-storage service and were able to freeze it there, but it isn’t yet clear if the hackers were able to earlier remove it to another location, Mr. Miller said. The Web storage service used by the hackers, which Mr. Miller declined to name, was one that is commonly used by U.S. companies, which may have made the initial data theft harder to detect. A spokesman for the FBI said the agency is “aware of the Anthem intrusion and is investigating the matter” and praised the insurer for its “initial response in promptly notifying the FBI after observing suspicious network activity.” In the wake of the attack, Anthem has reset the passwords of all employees with higher-level access to its data systems, and has blocked all access that involves only one password, Mr. Miller said. Anthem said it doesn’t expect the incident to affect its 2015 financial outlook, “primarily as a result of normal contingency planning and preparation.” Write to Anna Wilde Mathews at and Danny Yadron at

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: