Following the news that Community Health Systems has suffered a data breach, affecting 4.5 million people - http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity-idUSKBN0GI16N20140818 - Lamar Bailey, director security R&D at Tripwire and Jonathan French, security analyst at AppRiver explain why this is the worst type of breach:
Lamar Bailey, Director security R&D, Tripwire says:
“From a consumer standpoint this is the worst type of breach. When financial data is stolen, such as when credit card numbers are stolen from retailers, the retailer and card issuers are hit with the fraudulent charges and the costs for generating new cards but when personal information is stolen - name, address, phone number, birth dates, and social security number - it impacts the person and not a company. This is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims. The other concern is that this data can be used on the black market to create new identities for scores of criminals and terrorists . Anyone affected by this breach should freeze their credit immediately to stop new credit accounts from being open without their consent.”
Jonathan French, Security Analyst, AppRiver, writes:
“This is a pretty big deal. Healthcare systems seem to be getting a closer eye on them by attackers. This may be due to each healthcare provider/network possibly having different standards to information security (some maybe more lax than others). And as the article mentions, The FBI has already warned the healthcare sector they need to step up their security.
“Ignoring that it was a healthcare breach and looking at the data, this is similar to most other breaches. The stolen data didn’t appear to have anything healthcare specific to it from what they have said. The data included “patient names, addresses, birth dates, telephone numbers and Social Security numbers”. The big one of those being social security numbers. The other data alone can do damage, but having valid social security numbers and the other information tied to the numbers can possibly cause a lot of damage. And with 4.5 million of these, I imagine this information, if sold, could be pretty profitable for the attackers.
“Also as a side note, in the original paper they filed (http://www.chs.net/investor-relations/sec-fillings/) they do mention they are taking action to notify everyone that was effected and provide credit monitoring services for those individuals. That seems to be the standard response for these types of incidents as of late.”