"Because an administrator's account was compromised, no amount of encryption would have prevented this attack," said
That might be of little consolation to consumers fretting about hackers who now have access to their
"We've seen so many large breaches, whether it's Target or
Others say encrypting personal data could have helped.
"They claim it's the expense. Really, there's no excuse," said
Encryption is a method of using mathematical algorithms to scramble data so that it's unreadable to anyone without a key, often in the form of a password.
Anthem has declined to say exactly how it was breached, only that it was "the target of a very sophisticated external cyberattack" the FBI is now investigating. Anthem also called in a
A health care security network that Anthem consulted with last week, the
That's "often a code word for a nation state, especially
How sophisticated remains hard to verify, but what's clear is that a breach -- possibly starting with just one administrator's account -- won hackers access to tens of millions of private records.
According to Ng, Anthem's data is encrypted when it is in transit.
"But while it's in Anthem's secure environment, it is not," he said.
"Essentially because they used administrator credentials, additional encryption would not have thwarted the attack," he said. "Administrator credentials would have unencrypted an encrypted database."
Anthem's breach affected up to 80 million people, far more than the 37.5 million actually covered by the insurer as of December, according to the company's most recent earnings report. Those hacked included not just Anthem employees but also many former Anthem subscribers, many of whom long ago dropped the insurer.
"The problem we have right now is not that a system can be penetrated, it's that after it's penetrated, all the data is at risk," Bellovin said.
(c)2015 the San Jose Mercury News (San Jose, Calif.)
Visit the San Jose Mercury News (San Jose, Calif.) at www.mercurynews.com
Distributed by Tribune Content Agency, LLC