Attack detected in time but illegal access was not stopped

May 21, 2015 08:28 GMT  ·  By

Personal information belonging to about 1.1 million current and former customers of CareFirst BlueCross BlueShield health insurer has been accessed without authorization by an unknown party, in what the company calls a sophisticated cyber attack.

Following a security assessment of its computer systems, which focused on indicators of compromise, CareFirst learned that its network was breached on June 19, 2014.

No social security numbers or financial data was exposed

Although the attack was detected by the company when it occurred, it was believed then that the action was taken in time to prevent access to member information.

However, the security review conducted by FireEye’s Mandiant revealed on April 21, 2015, evidence that data may have been taken by the trespasser.

It appears that the intruder was able to access a database containing information added by customers when using the company’s websites and its online services.

Chet Burrell, CEO of CareFirst, said on Wednesday that names, dates of birth, email addresses and usernames had been exposed to the unauthorized third party. He stressed the fact that passwords remained safe and, as a consequence, more sensitive information (medical claims, social security numbers, or financial data) was not impacted.

Nevertheless, impacted individuals will have to create a new pair of credentials because their accounts have been blocked and a password reset procedure has been deployed.

Two years of free identity protection and credit monitoring

In a public notification, the company says that passwords are stored in an encrypted form on a separate system, specifically to protect against this type of intrusions.

Burrell says that the data potentially grabbed by the perpetrator would be of limited use, but a name and an email address are an incredible asset for phishing attacks, which could trick the victim into divulging important info, leading to identity theft and credit fraud.

To protect customers of direct and indirect negative consequences, CareFirst offers all impacted individuals (anyone registering for the company’s services before June 20, 2014) a two-year complimentary subscription to identity protection and credit monitoring services.