Slashdot Mirror

← Back to Stories (view on slashdot.org)

CareFirst Admits More Than a Million Customer Accounts Were Exposed In Security Breach

Posted by timothy on from the camel-cased-in-triplicate dept.

An anonymous reader writes with news, as reported by The Stack, that regional health insurer CareFirst BlueCross BlueShield, has confirmed a breach which took place last summer, and may have leaked personal details of as many as 1.1 million of the company's customers: "The Washington D.C.-based firm announced yesterday that the hack had taken place in June last year. CareFirst said that the breach had been a 'sophisticated cyberattack' and that those behind the crime had accessed and potentially stolen sensitive customer data including names, dates of birth, email addresses and ID numbers. All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, CareFirst said in a statement posted on its website." Free credit monitoring is pretty weak sauce for anyone who actually ends up faced with identity fraud.

82 comments

  1. Criminal liability ... by gstoddart · · Score: 4, Insightful

    The only way to fix this is criminal liability, with very stiff fines.

    If they're going to continue to be incompetent at security, hit them where it hurts ... right in the profits.

    As long as corporations can say "oops" and just pretend that two years of credit tracking like this, nothing at all will change.

    Until then, corporations will be as incompetent and lazy as the law allows ... which is pretty much as incompetent and lazy as they want to be.

    If you don't make the company pay actual fines, escalating to much bigger things for repeat offenses, corporations will simply do whatever their PR consultants tell them they can get away with ... basically nothing.

    --
    Lost at C:>. Found at C.
    1. Re: Criminal liability ... by Old97 · · Score: 4, Interesting

      Care First is a not for profit company. No shares. No investors. It's member owned.

      --
      Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
    2. Re: Criminal liability ... by Anonymous Coward · · Score: 1

      That matters nothing when I have fabrications to get upset about.

    3. Re:Criminal liability ... by Dunbal · · Score: 2

      Agree 100% with your post. But it will never happen. No one wants to be the prosecutor/judge who put 10,000 people out of work. So we get slaps on the wrist and miniscule fines, and corporations just go on doing what they feel like doing with lipservice to laws that would easily have any one of us in jail serving consecutive sentences.

      --
      Seven puppies were harmed during the making of this post.
    4. Re: Criminal liability ... by Dunbal · · Score: 1

      Kind of like - the federal reserve?

      --
      Seven puppies were harmed during the making of this post.
    5. Re:Criminal liability ... by bobbied · · Score: 1

      I thought we had that with HIPPA.... Did I miss something?

      Maybe it's enforcement that's lacking? Actually, take them to civil court, recover damages... That will fix them..

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    6. Re:Criminal liability ... by antiperimetaparalogo · · Score: 1

      The only way to fix this is criminal liability, with very stiff fines.

      I agree... have those cyberattackers pay for the rest of their lives.

      If they're going to continue to be incompetent at security, hit them where it hurts ... right in the profits.

      As long as corporations can say "oops" and just pretend that two years of credit tracking like this, nothing at all will change.

      Until then, corporations will be as incompetent and lazy as the law allows ... which is pretty much as incompetent and lazy as they want to be.

      If you don't make the company pay actual fines, escalating to much bigger things for repeat offenses, corporations will simply do whatever their PR consultants tell them they can get away with ... basically nothing.

      Oh... wait... you mean punish the victim!? If criminal negligence exists, then o.k., but don't accuse the victim (and the "corporations" in this example are victims also) for the success of the criminals.

      --
      Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
    7. Re:Criminal liability ... by countSudoku() · · Score: 1

      Forget all that, it'll never make it in front of a judge/jury because the lobbyists will be paying off anyone who even THINKS of making a noise against their precious "too big to fail" health company who never hurt anybody ever and always brushes their teeth before bed and never says a discouraging word. How dare we want our privacy. :/

      --
      This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
    8. Re:Criminal liability ... by Anonymous Coward · · Score: 0

      The only way to fix this is criminal liability, with very stiff fines.

      The problem is, they'll happily find a company guilty of some crime, and fine them some amount that looks big to the public but means nothing. Over and over again. But the people responsible don't go to jail. Just look at what transpired yesterday where banks were fined over 5 billion dollars, yet despite a whistleblower saying that the corporate culture was "if you ain't cheatin', you ain't tryin'," no person is charged with any crime, no person is going to jail. The company just loses a little money.

      If you're some 20 year old in Canada running a pump-and-dump stock scheme, you're going to be fined a few hundred thousand dollars and you'll face extradition and jail time in the USA via SEC. As it should be, in my opinion. But if you're a bank who makes many billions of dollars a year in profit and you're caught running a scam for ten or more years, "oopsie," we'll fine you a small percentage of those profits and now you can carry on. Put a banker in jail, ::gasp::, are you kidding?

      We need a Corporate Death Penalty and we need to use it. Pierce the veil. Use the RICO statutes to drill down beyond the business entity and punish the greedy little fuckers who run the criminal enterprise disguised as a bank. Shut HSBC's US branch and BOFA and their ilk the fuck down, seize it all. Dissolve them, liquidate their assets, appoint a receiver to repay their customers (not their shareholders) for the bilking and fraud they've done over the years.

      I know, I'm just dreaming. Seizure of assets only applies to some random Joe with a roach in his car, it doesn't happen to financiers.

      Anyone want to set up the First Bank of Slashdot? We could amass billions, misappropriate most of it, and the worst that could happen is they sanction our Bank for a portion of a percent of our holdings. No need for a "Step 3: ???" these days, it's just Step 1: Profit!

    9. Re:Criminal liability ... by Anonymous Coward · · Score: 0

      It (reportedly) wasn't medical data that was stolen.

    10. Re:Criminal liability ... by Chris+Mattern · · Score: 2

      I thought we had that with HIPPA.... Did I miss something?

      The fact that there's no such thing as "HIPPA"? Perhaps you meant "HIPAA" ("Health Insurance Portability and Accountability Act").

    11. Re:Criminal liability ... by Anonymous Coward · · Score: 0

      I still have yet to understand why a random financial institution I don't do business with be defrauded is MY problem simply because it happened with my info. Thats the hugest con in identity theft. If they don't have my signature on paper and a photograph of who signed they can go pound sand imo, I'm not going to be held responsible for their inability to actually identify whom they're doing business with.

    12. Re:Criminal liability ... by Anonymous Coward · · Score: 0

      HIPAA is not limited to medical data but covers all personally identifiable information (PHI).

    13. Re:Criminal liability ... by Anonymous Coward · · Score: 0

      Criminal liability does not always mean fine. Sometimes it means jail time.
      For example, SOX has some real criminal liability on it.
      When the board members faced the potential of actual jail for nonfeasance or malfeasance, the money really started flowing for SOX compliance.
      The ACA already tossed a bunch of requirements on insurers to give them the potential for significant additional profits. We already know that there will be changes to the law over time (large or small). An amendment adding some consumer protections would not be unreasonable.

    14. Re:Criminal liability ... by cusco · · Score: 1

      Won't make any difference until you make corporate executives legally/financially responsible.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    15. Re: Criminal liability ... by l0n3s0m3phr34k · · Score: 2

      Doesn't matter, HIPAA law doesn't have a designation that says "non-profits don't have to follow this law". Care First should be receiving a fine for every piece of lost information. Just because it's member owned doesn't mean they don't have to do security audits, real-time monitoring, etc. If anything these "members" who own it should be on the hook personally for the fines. If it's "your business" (ie, member owned) and your making profit off it, you should also be an active participant in the business.

    16. Re:Criminal liability ... by Anonymous Coward · · Score: 0

      The only way to fix this is criminal liability, with very stiff fines.

      Yes, but it is also important that those who admit a breach aren't punished as hard as those who try to cover it up.
      Ideally we want our personal details to be secure. When that isn't the case we want to be informed as quickly as possible.
      Punishing incompetence as hard as malice will not remove the incompetence, only increase the damage from it.

    17. Re:Criminal liability ... by l0n3s0m3phr34k · · Score: 2

      Their only a "victim" due to lax security. The corporation broke the law too, by not properly securing their data as required by HIPAA law. And we SHOULD accuse them partially for the success of the criminals, as they enabled them twice. Once by having crap security, and two by not even noticing for an entire year. The HIPAA law might have changed since I did audits, but your supposed to do them on a yearly basis as well. So, triple failure.

      As a side note, there seems to be a marketing opportunity here for security companies to do active domain name "dyslexic" attacks. It seems it would be trivial to have a script that transposes numbers into the real URL and does a WHOIS on a scheduled basis. Really, there are probably a dozen employees at Carefirst who could do this. At my job, probably over 50% of the people I directly work with could either do this off the top of their head or figure out how to do this in a few days; and their not even programmers or such.

    18. Re:Criminal liability ... by Anonymous Coward · · Score: 0

      What makes you think that we don't already use tools to generate URLs?

    19. Re: Criminal liability ... by Etherwalk · · Score: 2

      Care First is a not for profit company. No shares. No investors. It's member owned.

      You are aware that perhaps a majority of nonprofits are shams designed to pull money out as salary and the like, right?

    20. Re: Criminal liability ... by Old97 · · Score: 1

      I work for one. They aren't shams in that there is no profit for shareholders. Yes, the top execs compensate themselves very very well. I'm a top of the heap individual contributor and highly paid and our CEO still makes about 100 times I do - literally. You'd think they'd return some to the "owners" (members), but they only do that - premium adjustments - when competitive or regulatory pressures give them no choice.

      --
      Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
    21. Re:Criminal liability ... by larwe · · Score: 1

      I disagree. If you create a system of monetary punishments, they'll simply get insurance to cover those. What's needed is criminal liability for negligent data security, WITH PRISON TIME. If we can jail a hacker, we can also jail the doofus who put a Post-It on the company datacenter door saying "key is under the mat". This sort of thing is never, ever going to go away. It's one of the prime reasons why I think forced electronic health record sharing is an incredibly stupid idea with an enormous downside and no upside for the individual. Yay it lets people datamine, but that doesn't help individuals - it helps research projects.

    22. Re:Criminal liability ... by larwe · · Score: 1

      Do you live in the United States? It's considered practically a constutitional right here to be able to get a credit card online, or order a cellphone and service (which requires a credit card) online. Or to be able to call a 1-800 number and get a new La-z-boy delivered on credit terms.

    23. Re:Criminal liability ... by Jane+Q.+Public · · Score: 1

      As long as corporations can say "oops" and just pretend that two years of credit tracking like this, nothing at all will change.

      Until then, corporations will be as incompetent and lazy as the law allows ... which is pretty much as incompetent and lazy as they want to be.

      When a few events like this happened last year to Home Depot and a few others, I saw a couple of those letters with offers of free credit monitoring, etc.

      IANAL, but I am pretty sure these are just attempts to stave off lawsuits. There is nothing binding about the "offers", and they don't preclude you from suing them for liability if you are an actual victim of identity theft.

      I think what this will actually take, are some people willing to step up and kick off some big suits. It is those kinds of damages that will make them finally pay attention.

      Having said that, "punitive" damages by government are supposed to be big enough to get corporations to end the sloppiness and take their their liability seriously. So yes, I think you can lay a lot of blame on government's cavalier attitude toward this sort of thing.

    24. Re: Criminal liability ... by pnutjam · · Score: 1

      Yes, our corporations are anti-capitalistic by design. They take capital and remove the owners ability to control it.

      --
      Cheap storage VM.
    25. Re:Criminal liability ... by Holladon · · Score: 1

      If CareFirst didn't want to get hacked, it shouldn't have been wearing a miniskirt!

  2. Sophisticated Cyberattack by Anonymous Coward · · Score: 0

    They had almost no real security. The database wasn't even encrypted.

  3. One thing to consider... by cayenne8 · · Score: 2
    ...do NOT give your social security number to any company for anything other than SS taxation.

    I don't give it to insurance companies, nor to the utilities (yes I pay a deposit but I don't give them my SS number), etc.

    You may have to argue a bit and get a manager, but if nothing else, if you can keep your SS number out of systems that will potentially be broken into, at least they won't get that info.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    1. Re:One thing to consider... by bluefoxlucid · · Score: 1

      That's okay, databases of names, addresses, and dates of birth are valuable for identity crimes, anyway. I can open new credit accounts with my bank without providing my social security ID.

      --
      Support my political activism on Patreon.
    2. Re:One thing to consider... by ColdWetDog · · Score: 1

      Don't work. In a number of states you HAVE to give the registration desk at the hospital your SSN. Otherwise you are in violation of some idiot state law. Sure, you can get emergency care by forgetting your name and SSN, but try to get some normal health care and yet another obstacle will be tossed in your face.

      Federal law now states you have to give the desk a 'government issued ID' for ANY care.

      May I see your passport, please?

      --
      Faster! Faster! Faster would be better!
    3. Re:One thing to consider... by Anonymous Coward · · Score: 1

      ...do NOT give your social security number to any company for anything other than SS taxation.

      I don't give it to insurance companies, nor to the utilities (yes I pay a deposit but I don't give them my SS number), etc.

      You may have to argue a bit and get a manager, but if nothing else, if you can keep your SS number out of systems that will potentially be broken into, at least they won't get that info.

      You need to understand something, between the credit bureaus; ChoicePoint; Medical Information Bureau; and all the other for profit businesses that collect data, collate it, and organize it; as well as other insurance companies AND your employer; with just a couple of pieces of identifying information, I can get your SSN.

      The only we can do is freeze our credit and hope for the best.

    4. Re:One thing to consider... by ColdWetDog · · Score: 3, Insightful

      Oh, and why is it always a 'sophisticated Cyberattack'? That wording is exactly the same as in the letter I recently received outlining the Primera BC/BS data breech" which happened over a year ago. Must be the same nasty cyber criminals. Or maybe the same unpatched SQL injection bug from 2005.

      --
      Faster! Faster! Faster would be better!
    5. Re:One thing to consider... by unrtst · · Score: 2

      In a number of states you HAVE to give the registration desk at the hospital your SSN. ... Federal law now states you have to give the desk a 'government issued ID' for ANY care.

      While that law is silly, those two statements aren't exactly the same. My state issued ID does not include my SSN.

    6. Re:One thing to consider... by gstoddart · · Score: 2

      Oh, and why is it always a 'sophisticated Cyberattack'?

      Because if they didn't call it that, they might have to say "because we're screamingly incompetent".

      You can bet your ass that PR firms and image consultants play a huge part in how this is announced and described.

      And "yarg, teh highly sophisticated hax0rs pwned us" puts them in the best possible light.

      Now, how difficult and sophisticated the actual attack was, I have no idea.

      --
      Lost at C:>. Found at C.
    7. Re:One thing to consider... by countSudoku() · · Score: 1

      HAHA! Or just some pissed-off, underpaid employee with an axe to grind and a spare USB stick, but that is not as fearful news as "sophisticated cyber criminales"

      --
      This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
    8. Re:One thing to consider... by Sarten-X · · Score: 2

      In a number of states you HAVE to give the registration desk at the hospital your SSN. Otherwise you are in violation of some idiot state law. ... Federal law now states you have to give the desk a 'government issued ID' for ANY care.

      [citation needed]

      I used to work in medical data, and SSNs are actually explicitly prohibited in a number of states. I never encountered any state that required them. I'm also particularly skeptical of your "ANY care" comment, as that would prohibit care for foreigners, vagrants, emergencies, and many accidents.

      Unfortunately, it is true that many doctors' record systems require the field. I quickly lost count of how many different patients apparently had 123-45-6789 for their SSN.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    9. Re:One thing to consider... by ColdWetDog · · Score: 1

      No, they aren't the same but it points out that you have to give a health care facility quite a bit of information before they let you in the door. Sometimes you can get away without giving them your SSN (as if that would help), other times no.

      Some states do put the SSN on the driver's license. One stop shopping!

      --
      Faster! Faster! Faster would be better!
    10. Re:One thing to consider... by ColdWetDog · · Score: 1

      Alaska law requires it. Presumably Washington state requires it (at least some clerk told me that, I did not bother to look through the statue books).

      --
      Faster! Faster! Faster would be better!
    11. Re:One thing to consider... by Cro+Magnon · · Score: 1

      My state doesn't put the SSN on the driver's license, but it did for years. By now I'd guess every 2-bit hacker from here to Russia probably has it. :-P

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    12. Re:One thing to consider... by praxis · · Score: 1

      It's a pretty weak citation to say a state requires it, when you can't even be bothered to look if they require it.

      What you stated is that in Alaska, one may be refused emergency care if one does not provide a social security number. That is a pretty strong statement and requires a more rigorous citation than "Alaska law requires it". I'm not an expert in searching statutes, but I could find no such statute.

    13. Re:One thing to consider... by Sarten-X · · Score: 2

      Alaska statute 45.48.410 explicitly permits hospitals to ask, but I can't find a statute that requires it.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    14. Re:One thing to consider... by Anonymous Coward · · Score: 0

      Washington state does NOT require it.

  4. Is this accounts hacking day? by ArcadeMan · · Score: 3, Interesting

    This is the third news about massive amounts of accounts being hacked in less than eight hours.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Is this accounts hacking day? by Anonymous Coward · · Score: 1

      And as an IT dude going on 20 years I can say that most of these instances of data theft are due to "get it to market now we don't care if it's perfect" thinking and not just incompetence.

      I've been in the war room with the developer saying "yeah, we knew that was an issue, we were going to address it in the next release" so many times. In one particular case my team (IT Ops) had been warning the dev team for months about a SQL injection problem, including showing them a posting on a website listing our domain as vulnerable and giving details on how to get in.

      Everyone screams at the ops and network guys to patch the hole until the fix is in, and the dev team lead gets a promotion. In that particular case the dev guy was very open about his CIO ambitions. Lord help us all.

      Identity theft fucks peoples lives over for months or even years, I know firsthand, btw, so yeah, time to start smacking these folks down and changing the profit first customer last culture.

    2. Re: Is this accounts hacking day? by Anonymous Coward · · Score: 0

      Linky, please?
      It does not hurt to know more.

  5. insert joke by Anonymous Coward · · Score: 0

    Insert joke about caring first about our data here -->

    1. Re:insert joke by Sarten-X · · Score: 1

      CareFirst puts healthcare first, and security somewhere around eighty-ninth.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:insert joke by ColdWetDog · · Score: 1

      I suspect that CareFirst puts it's financial bottom line first and everything else a distant 115th.

      --
      Faster! Faster! Faster would be better!
    3. Re:insert joke by Anonymous Coward · · Score: 0

      CashFirst.

    4. Re:insert joke by FranTaylor · · Score: 1

      from their web site:

      "In its 77th year of service, CareFirst BlueCross BlueShield is a not-for-profit, non-stock health services company"

  6. ACA Database by g0bshiTe · · Score: 2

    I'm just waiting till the treasure trove that is the national ACA exchange gets hacked.

    I imagine if/when it happens there will be no mention of it as it would mean every American registered in it would want heads to actually roll.

    --
    I am Bennett Haselton! I am Bennett Haselton!
    1. Re:ACA Database by Anonymous Coward · · Score: 0

      The ACA website is a front end that checks a variety of backend systems, it's not one monolithic database with everyone's stuff in plain text.

    2. Re:ACA Database by Anonymous Coward · · Score: 0

      When it happens, the political party not in power at the time will have plenty to say about it.

  7. Security Rehash Part Deux by ripvlan · · Score: 1

    The more I see this happen - the more I think we need to change the economy for stolen data. Remember when they stopped arresting prostitutes and targeted the John's ? Locks can be picked and there to keep honest people honest. Credit monitoring must be pretty cheap as more companies buy it as an insurance product. This data is going to be stolen !

    Now we need to make it worthless.

    In the world of digital "signup on the web" stolen data can be used pretty quickly. Like the bad checks loop hole (popular on Craigslist and others). The detection of bad id's needs to be easier and products for purchase harder to get. There are days that I believe the 3 credit reporting agencies are responsible - they created a market & product that is easy to abuse. Yes - I can flag my credit rating (even "lock" it) - but then my life becomes difficult.

    Maybe a smartApp that allows easier monitoring and blocking of requests. My AMEX credit card already gives real time purchase details on my phone. This might aid in detection.

    Now - how to reduce the value of the products? (or increase the cost to acquire).
    And just maybe - make it expense for the companies that hold this data to the point they find another way.

    1. Re:Security Rehash Part Deux by Dunbal · · Score: 1

      Remember when they stopped arresting prostitutes and targeted the John's ?

      Yes that put a stop to prostitution all right. Er wait, what? What do you mean there's still prostitution?

      It's one thing to try to come up with solutions. It's another to come up with solutions that actually work.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Security Rehash Part Deux by ripvlan · · Score: 1

      It didn't eradicate it. However - the numbers of "users" dropped significantly. It was considered a turning point in how to deal with the problem.

    3. Re:Security Rehash Part Deux by Dunbal · · Score: 1

      Did the number of "users" drop because of the switch in tactics by the police, or did it drop along with the overall drop in crime? And did prostitution really drop at all, or did it just migrate from the street corner to escort services, craigslist and twitter? Not as black and white as you think.

      --
      Seven puppies were harmed during the making of this post.
  8. I was one of the happy customers. by Bovius · · Score: 1

    We did get a letter about the security breach, and the offer for 2 free years identity theft protection, so...thanks, I guess? Nothing horrible has happened yet, but as far as I can tell, we don't really have any recourse other than sitting and waiting for bad things to occur. No actionable information provided.

    The notice they sent us went out months after they found out about it. Which I'm kind of grumpy about, but at least to some degree makes sense. They don't want to go public with the information until they've locked down as much as they can.

    One last gripe: the letter was mostly worded in the "protect our own butts legally and limit our liability as much as possible" sense, not the "we're sorry this happened to your personal information and we want to make it right" sense. Which, I mean, come on. This is an insurance company. That's literally what they do for a living.

  9. laugh by koan · · Score: 2

    It's sad I have been offered this

    two years of free credit monitoring and identity threat protection as compensation

    6 times now, and from 6 different corps.

    And this..

    'sophisticated cyberattack'

    is bullshit..
    http://krebsonsecurity.com/201...

    Turns out, the same bulk registrant in China that registered the phony Premera and Anthem domains in April 2014 also registered two Carefirst look-alike domains — careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).

    Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.

    --
    "If any question why we died, Tell them because our fathers lied."
  10. Fine companies .. by Anonymous Coward · · Score: 0

    Companies that get breached should be fined $1M per identity breached, paid directly to the person affected. If that were the case .. I'd be $12M richer, minus the
    40% the Feds would take in income taxes

  11. Ooh! A letter of apology! by rnturn · · Score: 1

    Try taking that with you to the bank when you try applying for a loan after your credit has been trashed by an identity thief. See how far along the loan approval process that letter gets you.

    WTF are you supposed to do with a damned letter? Feel all warm and fuzzy that they care?

    --
    CUR ALLOC 20195.....5804M
    1. Re:Ooh! A letter of apology! by praxis · · Score: 1

      I would hand the letter to my lawyer, who would then work with credit bureaus to clean up fraudulent activity on my credit report.

    2. Re:Ooh! A letter of apology! by FranTaylor · · Score: 2

      I would hand the letter to my lawyer, who would then work with credit bureaus to clean up fraudulent activity on my credit report.

      does he do this kind of stuff for free?

    3. Re:Ooh! A letter of apology! by praxis · · Score: 1

      No of course not, but if I were in the market for a loan from a bank, having him do that would be well-worth the long term loan-costs he could save me.

    4. Re:Ooh! A letter of apology! by lgw · · Score: 1

      10 years ago this was a real problem. Now it just takes a few calls to clear everything up, and a few weeks for it to all get sorted out. Yeah, it sucks you have to waste hours on it, but the credit agencies have a procedure for identity theft reporting now.

      If you're ever worried something might happen, just flag your account for fraud. Once you do that, opening any new accounts will require they call you to confirm (which should be the default IMO).

      Of course, the real problem is that we're all far to much in the habit of borrowing money, but that's a different rant.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  12. cyber what? by Anonymous Coward · · Score: 0

    At this point the whole country should be getting free credit monitoring. Pay for it with a tax on domain names or corporate internet access or something.

    1. Re:cyber what? by FranTaylor · · Score: 1

      yeah there's a system that for sure will never ever be breached by hackers

  13. Why? by Anonymous Coward · · Score: 0

    And it took a year to notify customers because....???

  14. Care first.. security a distance third? by Anonymous Coward · · Score: 0

    Care first.. security a distance third?

  15. This is why IT should be a licensed profession by ErichTheRed · · Score: 1

    I know very few people agree with me on this one, but this is a perfect example of where professional licensure of at least the design part of IT and SW development could prevent problems. No civil engineer with the PE designation would sign off on a dumb design because they and/or their firm would be personally responsible for faulty work, and companies couldn't pressure people into doing so. Engineering of real world systems involves using proven methods and thoroughly testing anything new or different before it gets anywhere near the real world. IT is famous for "oh well, it compiles, we're done" and "I want to implement this in LangDuJour On Rails because it'll look good on my resume." I'm not saying it will solve all problems, but that would certainly weed out most bad design and many bad practitioners. You would standardize the education requirements, and at least ensure that people who get the license to practice think twice about taking dumb shortcuts. Lots of people would complain, and yes, it would slow the insane pace of new technology introduction, but it's been decades...it's time for the profession to grow up.

    Licensing would not fix the other part of this problem -- companies not devoting the right amount of resources to IT. IT is almost always considered a cost center, and not understood by anyone in the executive suite (including the CIO.) I don't know this for a fact, but I'll bet that at least some of CareFirst's IT is outsourced to a lowest-bidder contractor -- just because I know companies that aren't IT-centric don't care about what happens in IT. That outsourcing either has their entire infrastructure in a disinterested third party's hands, or a split that's painful enough to make in-house staff think twice about changing something.

    Finally, the problem is that companies get away with this all the time. Credit card fraud is completely victimless in the eyes of companies as long as they passed their PCI audit...their insurance company just pays and the banks eat the rest of the losses. Same goes with personal data -- it's always "oops, here's some credit monitoring service for you." Any class action lawsuits end up settled 10 years later for a few dollars per claimant. Until companies get in serious trouble for this, it will continue to happen.

    1. Re:This is why IT should be a licensed profession by FranTaylor · · Score: 1

      where professional licensure of at least the design part of IT and SW development could prevent problems

      this is like saying that professional licensing of auto mechanics will reduce the incidence of drunk driving

  16. Why wait so long? by Anonymous Coward · · Score: 0

    If they actually cared they would have disclosed this information a hell of a lot sooner than now. Instead they gave hackers almost a full year to fuck unsuspecting victims.

    Do the people a favor and change your name to CareLater.

  17. So this means ... by jc42 · · Score: 1

    ... All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, ...

    So they're saying that they have such monitoring/protection, but members who aren't explicitly paying extra for such monitoring/protection aren't being protected from identity theft in any way?

    Somehow, I don't find this surprising. But I'm a bit surprised that they'd admit it so blatantly and openly.

    (Actually, I'm a bit dubious about their implicit claim to have such monitoring/protection already. But it's fairly common for companies to make such claims for PR purposes, without bothering to actually implement what they're claiming to supply until something like this hits them. Maybe they had another similar incident happen sometime in the past, and are finally getting around to doing something about it?)

    (And what exactly does "identity threat protection" mean? Google doesn't seem to have any matches for that phrase, and automatically replaces it with "identity theft protection", which doesn't sound like the same thing at all. ;-)

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  18. June of last year by supernova00 · · Score: 1

    "[...] announced yesterday that the hack had taken place in June last year" Why the heck did it take them a year to disclose this? Did someone finally leak this information and they finally had to admit to it?

    1. Re:June of last year by Anonymous Coward · · Score: 0

      They hired a security consultant, Mendiant, after the Anthem data breach in April.

      "We first learned of the attack on April 21, 2015 when the review of CareFirst's systems was not yet complete. This was when Mandiant discovered that a cyberattack occurred and likely resulted in a limited unauthorized access to a database. It was necessary to complete the comprehensive forensic information technology review of all of CareFirst's systems to understand the nature of the attack, the information potentially accessed, and the members who were affected. In addition, the comprehensive review was necessary to determine that there was no evidence of any prior or ongoing attacks and to take steps necessary to ensure the integrity of the system. "

      http://carefirstanswers.com/faq.html

  19. CamelCase BallsUp BeggarsBelief by Anonymous Coward · · Score: 0

    n/t

  20. what a great idea by FranTaylor · · Score: 1

    what a great way for IT professionals to get rich: breach their own employer's computer systems and steal their own data.

  21. Is it wrong by Anonymous Coward · · Score: 0

    That I originally read the article title as "CareFist"?

  22. Sophisticated cyberattack? by nickweller · · Score: 1

    Are there any technical details regarding this 'sophisticated cyberattack', or was it yet another SQL exploit or altering a URL and scraping the database?

  23. This has two crony-capitalist roots by Anonymous Coward · · Score: 0

    1. Somewhere along the line, businesses started assuming they had a RIGHT to collect, store, use, and sell information about other people. Nobody actually gave them this right. Nobody legally codified the scope of this right. Medical firms, insurance firms, credit reporting/rating firms, and even Radio Shack all built business models that included (or were principally-based on) the presumption that they had the right to hold and trade this data. At this point, when anybody tries to say "Hey, wait a minute! You can't do THAT!", these multi-billion-dollar interests simply remind their purchased politicians that there will be future elections that must be funded...

    2. Businesses and unions, who pretend to be mortal enemies, actually have the same relationship with their politician "friends"; They have large sums of cash which they can contribute to make sure the politicians see them as "too big to fail". This is how the unions got protected in the auto company bailouts, while all the little gray-haired folks with retirement funds in auto stocks lost everything. It's also how the bankers avoided ANY responsibility for the 2008 meltdown. When any big business loses the data of average citizens, exposing each of them to an almost unlimited (in both time and cost) financial hit, the government they bought will make sure they pay no penalty. Funny thing, but that same government helped music companies drop the hammer on individual people who posted music online based on the same theory of practically unlimited damage since data cannot be "gotten back"....

    When rules only work in one direction, start looking for crony relationships between people with cash and politicians.

    This will NOT change by voting Democrat or voting Republican.... this will ONLY change if voters of all parties let their representatives know they will no longer vote along party lines (George Washington warned against forming political parties for this very reason) and tell them they will only get the votes if they oppose this sort of corruption and start protecting the rights of the individual. The key is that money does not vote... only individuals do, so the voters need to de-couple their votes from campaign ad money and make it clear that REAL ACTIONS are all that matter.