Large-scale data breaches have spiked more than 270 percent in 2020, costing companies billions as criminals take advantage of the massive increase in business conducted online. The average cost of a data breach is now a staggering $3.86 million, with healthcare breaches costing an all-time high $7.13 million.
With this in mind, we sat down recently with Roy Mellinger, former CISO of Anthem, for a candid conversation on what he learned from their breach in 2015. It’s not often you get first-hand lessons from someone who has experienced a “worst-case scenario.” Roy shared how he navigated a myriad of issues, including public relations and litigation – and how the experience informs the way he advises companies today.
About the Anthem Breach
In 2015, Anthem was the largest health insurance company in the US, with the most “covered lives” and biggest market share (today it remains #1 in market share and #2 in covered lives, insuring over 40M Americans). Between 2014 and 2015, a Chinese hacking group stole the sensitive data of 78.8 million customers and employees, including their names, dates of birth, addresses, telephone numbers, email addresses, income data, and social security numbers. When the dust settled in 2017 and Anthem paid $115 million to settle the class action lawsuit, it was the largest data breach settlement in history with the most health records stolen.
The hackers began with spearfishing, a sophisticated, targeted attack that deployed malware, providing access to Anthem’s systems. The attackers remained dormant for months at a time, waiting for the right moment to exfiltrate the data. Two Chinese nationals were indicted in 2019, and in 2020 when four more were indicted for the Equifax breach, the Department of Justice publicly linked the breaches at Anthem, Equifax, Marriott, and the US Office of Personnel Management (OPM) for the first time. All four rank among the largest and most serious data breaches ever. Highly targeted, they aimed to build a complete database on US citizens that can be used for a multitude of nefarious purposes (the Wired article linked above is worth a read).
Interview with Roy Mellinger
You were the CISO of Anthem in 2015 when the company announced the data breach affecting 78.8 million people. What was that like for you as the head of the cybersecurity org?
That time was very intense as you can imagine. It was all hands on deck – which actually made our response very successful because it was not only the executive leadership team, but also the cybersecurity group, investor relations, privacy teams and even the board of directors who played key roles in our communications strategy. Everybody came together to row the boat in the same direction to get through it; to not only resolve the breach but to also deal with the court of public opinion, the political aspects, and the litigations that were soon to follow. So it was an intense but very focused time that I think we successfully navigated.
What did you find most surprising about the breach?
Despite our excellent cybersecurity program, forensic labs, and outstanding cybersecurity operation center, the thing that I found most interesting was how long the attackers had actually been in the systems. The data exfiltration was very brief, but they had actually been inside for a period of time surveilling the systems through a number of different avenues. In what I’d liken to covert operations and espionage, usually there are multiple penetration points and they often talk about sleeper cells and the like. That’s what I recognized after we got all the facts in the investigation. The criminals had actually been inside via a number of avenues and left many of them dormant, and then when we started closing down the attack vectors, they tried reopening some of those old dormant “portals” or “windows” (which we were successful in discovering). It was clear that they had been doing their homework.
Can you tell us about how you, and Anthem as a whole, handled some of those external reactions from the media, lawsuits, etc that you mentioned?
Part of what was key for Anthem (and what I recommend to other companies) is having a formal breach response program in place. It’s not enough to have a data recovery or disaster recovery program.
It’s not a matter of if an organization will get breached; it’s truly just a matter of when. How you respond is even more scrutinized if you’re in a highly regulated industry like banking or healthcare.
One of the things that Anthem handled extremely well was the speed of our response. We were very quick to have our CEO go public, and we could do that because we had our media statements prepared. We had prepared for a situation like this. In the response, we were able to be very sensitive to brand loyalty and brand trust.
“Success” when it came to an external response in 2015 was different. It used to be about business continuity and the recovery of your systems. Today it’s really about what I call “authoritative reaction and controlled response.”
You need to be able to pivot quickly when things like this happen and promptly react, accurately respond, and communicate – even though you may not have all the facts – to the public and to regulatory and oversight bodies, and let them know, “This is what’s taking place. This is what we’re doing about it.” We were very quick to do that publicly. We controlled the message which is critical because if you’re not controlling the communication, somebody will control it for you. You also need to factor in the digital communication spaces like social media, not just the traditional press.
And we went to Washington D.C. very quickly, before the media story broke, to make sure that members of Congress were aware of what was taking place with different states’ attorney general’s offices and regulatory bodies. We reached out immediately and let them know, “This is what took place, we’re going to be making a press statement, we wanted you to hear about it first.” And I think that garnered us a lot of goodwill. The FBI and others would call that the new gold standard of how a breach should be handled. We were very transparent upfront.
No company wants to go through this but we’re seeing attacks continue and I think everybody’s realizing that, again, it’s not a matter of if, just when, and any organization could be targeted. Being able to respond quickly, having a prepared plan, and knowing what your communication tools are going to be – I think that’s very much key.
What can CISOs do to better support their legal department when litigation is filed?
Have a strong program and have it documented. Policies and procedures that are not just a one-time, set-it-and-forget-it kind of thing, but are constantly updated.
It’s okay to have risk as long as it’s identified, management knows about it, you’ve reported it, and you’re working towards mitigating that risk. It’s got to be that internal auditing, external auditing, and the security department are all working in combination – that’s the 3 legged stool for risk management.
It also helps to get certified by ISO or HITRUST. That’s external authoritative validation, by others and not just yourself, that you are doing the right thing. It’s very hard to argue in a court of law that you didn’t do the right things if you’re assessing your programs, testing them, and documenting them.
We’re curious to hear how you think about the human attack surface.
I think you can mitigate a lot of human error by focusing on the basics – basic blocking and tackling.
The reality is that most attacks are opportunistic, and the way to prevent those is not to become a victim. I liken it to physical security. Somebody’s walking up and down the block and they’re checking the front doorknobs, or they’re walking through a parking lot and they’re checking door handles. If your home is locked up, your car is locked up, you’ve prevented yourself from becoming a victim. The bad actor’s going to move on to the next house or next car.
But if your basic network isn’t secure, if you haven’t done the fundamentals, then right off the bat, they found an easy target. Covering the basics gets harder as your organization grows; the more servers, the more infrastructure you have, the more difficult it can be. But it boils down to basics like:
- Do you have a patch management process in place, and are you patching in a timely manner?
- Are you doing vulnerability scans regularly, not just once a year or every 6 months?
- Are you just scanning the DMZ or are you also scanning customer-facing applications?Are you doing code scans of your apps?
- Are you scanning internal servers, databases, and endpoints? Constantly, and not just once a quarter or once a month?
- Do you have a server-hardening approach or program where you can guarantee that every server has the right security tools in place, is patched, etc? Is somebody auditing that?
- Are admins using secure passwords? What about other employees? Customers?
- Are you following NIST guidelines?
I see these as fundamentals that take at least some of the risk away.
But human error continues to cause problems. Misconfigurations, for example. There have been many, many unfortunate breaches where a system may have been secure, but they did a software upgrade and forgot to turn the security controls back on. And suddenly an attacker backs out of the URL a little bit and they’ve got admin access to an application.
But I think getting back to the basics, as difficult is that may be, counters a lot of the risk. And then you can begin looking at the more focused types of attacks that are targeted and figure out how to prevent those. But you have to start out with the basics.
With many security measures looked at as expensive line items on a budget, how do you demonstrate ROI?
When you have departments competing for budget and you can’t always show how your department is profitable, you have to address how you’re saving the company money with anti-litigation, anti-breach measures. For example, once brand loyalty is questioned, you lose customers and it becomes very difficult to rebuild that trust. The loss of trusts costs the company money. How you can solve for that as a CISO through anti-breach programs becomes important to show.
And demonstrating publicly that the company is protecting users’ privacy and identities… as a CISO you can work with marketing to figure out how to turn your expensive security program into marketing material, goodwill, and positive PR.
What other advice do you have for security teams on how to demonstrate ROI as they’re making a business case for a security vendor or a new solution?
When you’re evaluating a security vendor, you have to ask yourself how they add value, how does the product differentiate itself, and how does the company differentiate itself? Beyond that, what else can they provide? For example, if it’s anti-virus, anti-malware software, etc, can our employees use it at home with no additional charge? Will they give a discount for customer referrals or intros?
You can also look at security awareness as part of the strategy for proving ROI to the company. Will the vendor provide quarterly or semi-annual updates for our executive team? Or resources like lunch and learns, webinars or other educational content? Because many companies are resource strapped, what mechanisms are in place from a security awareness perspective to help internally enhance the message?
If you’re reporting to a board monthly or quarterly, it’s important to illustrate and share your security awareness programs statistics, and even better if your vendor can help with that. For instance, sharing your sample phishing messages and how the company performed, i.e. here’s the one that had the highest rate of clicks. It was always fascinating – and would drive home the point – when a board member or senior executive would admit to clicking it.
As security leaders, we’re asking ourselves the question, how do we measure continuously so we know we’re making progress? Because it’s okay to have gaps. You’ll never get it right 100% of the time, but how are you measuring to ensure that you’re raising the bar over time? To me that’s part of that strategy of communicating ROI for security investments. More than that, it’s about teaching people along the way.
Selfishly, we have to ask, what value do you see SpyCloud adding to a security portfolio?
I find SpyCloud’s product and approach to be very fascinating. There are a lot of products out there that crawl the web, looking for compromised information. What I’ve found is that the speed of discovery has not been as prompt as I’ve always liked, or the information is stale. What’s unique about SpyCloud is the use of human intelligence. SpyCloud has individuals out there looking for the information and getting it faster than scraping tools. For a company to hire and keep that talent on their own is impossible. Usually you’re lucky if you have one or two people doing it, but they can never do it full time. So having an organization that’s already doing that, and able to turn information around in a timely manner is highly valuable.
SpyCloud shared with me a compromised account found via a botnet. They discovered that the account had been compromised 5 times previously, by comparing it to data already in the SpyCloud database. To me, that context is powerful, and it’s great ROI. You’re not just proving one incident; you’re starting to see the spider web, the inner connections where this one compromised account or this one individual has now led to multiple compromises. If their password is known here, here and here, where else could it be known? That illustrates something to your board and executive team, and it gives you an opportunity to educate, not punish, the user. If they reuse passwords, you can educate them on the danger of their credentials being exposed across personal accounts too.