I'm hoping that people will start writing songs about cyber-insecurity, and that a good one will emerge that will be acclaimed as the "Anthem of Cyber-Insecurity." It will be sung quietly by groups of computer users who hold hands as they hear the details of yet another massive computer breach. While singing, some of the much-abused users will be silently praying that their "protectors" get bombed by Facebook friend requests by identity-thieved replicas of themselves, while others will pray for the end of "help" that isn't.
The Anthem Attack
I'm one of those praying users, because I'm a member of Anthem, the company that "lost" the personal information of "tens of millions" of its members sometime in 2014; they're not sure how many, whose records were "lost," or when it happened. Here's a personalized communication I received from Anthem:
Anthem has made a priority of communicating with its customers about the attack. When you're in the glare of publicity like this, I'm sure great care has gone into each statement on the case. That's probably why I have received more than one missive with the same date that spins things in different ways. For example, the Feb 13 note above refers simply to "cyberattackers" who "tried to get" private information, raising the possibility that their efforts were foiled by the valiant workers at Anthem.
Check out the identically-dated but substantially different Feb 13 note below.
In this second attempt, Anthem tells us about "cyber attackers" (now two words instead of one) who executed a "sophisticated attack," and "obtained personal information" "relating to" their customers. I guess it was successful? But maybe not, because the behavior of these guys isn't a felony, it's merely "suspicious activity" that "may have occurred." Furthermore, they carefully state that the personal information wasn't the customer's actual personal information, but merely "related to" said personal information. Hmmm....
What "May Have Been" Lost
So what information may have been lost during this incident that may have occurred at some unknown time? A fair amount.
Again, what's clear is that Anthem isn't clear. The information "accessed" (wasn't it stolen?) "may have included names, ..." But maybe not, we are led to believe. If the information that may have been accessed may have included my Social Security number, why isn't it possible that all sorts of other information was also accessed? We are supposed to be reassured that "there is no evidence at this time" that this actually took place -- a nearly ideal way of phrasing something that is supposed to sound like reassurance, but provides full CYA.
Anthem Provides Protection
Anthem has a whole website set up to let its members know what's going on, and to let customers know how they can get protection against the possible unauthorized access of their personal information.
Here's what Anthem will do: they'll pay a third party to help you out.
If you get in trouble, you can call the service, and they'll help you out. Meanwhile, your personal information may be in the hands of people who were unauthorized to access it. If they are the kind of people who will do "unauthorized" things, who knows what perfidy they'll stoop to?
Anthem's Additional Protection
The basic service you get isn't protection at all, as they make clear. Nonetheless, "For additional protection..." -- on top of the non-protection they already provide -- you can sign up for more. What exactly is this more? Quite a bit! Here's some of it:
Wow, and all for free! Let's sign up!
So you enter your e-mail, and get a code, go to the website, enter the code, and finally get to register for protection.
What happens next? Here's the page:
Wow, this is amazing!
I have a chance to enter into a website a good fraction of the private, personal information entrusted to a giant insurance company which, while under their stewardship, "may have been accessed" by "unauthorized" entities.
The security geniuses who kept my information secure want me to give it again to a company that they endorse as being wonderful security experts. Anthem was just terrific at keeping my information secure -- it goes without saying that their endorsement of the security of this partner they've just picked is rock-solid.
These guys are bureaucrats. Read this about bureaucratic security cred. And for more, this.
Summary
Anthem's revenues are greater than $60 Billion. They can afford to keep customer data secure.
Anthem's executives are paid enough to do their jobs well. Last year, the CEO made over $16 million and the CFO over $7 million.
And yet...
It took a guy at the bottom rung of the ladder to pay attention and notice something was wrong; had he not cared, the outflow of personal data would still be going on, as it had been for an indeterminate amount of time before the alert employee's observation.
No system or procedure established by the rich, giant entity had anything to do with noticing the breach, much less preventing it.
Everything about what they've done since exhibits the same lack of attention to detail and I-don't-care attitude that made the breach possible. What they mostly seem to want is to dash off letters riddled with errors and assurances, focused above all on their public image.
Their offer of "protection" is a cruel joke, exposing the gullible who accept the offer to further dissemination of their private information.
Conclusion
I'm waiting for that anthem as I sit, holding hands in a circle with my fellow users, thinking dark thoughts. And I'm as likely to enter my personal data into the Anthem authorized "protection" service as I am to publish it on this blog.
Comments