Go to:

July 2018
< Jun Aug >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Massive Anthem Data Breach Could Impact Millions
Friday, February 6, 2015 6:45 AM

Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen names, dates of birth, member ID/social security numbers, addresses, phone numbers, email addresses, and employment information. The company stressed that the exposed data did not include medical records or financial information.

The company didn't specify how many consumer records may have been breached, but figures from the company's website suggest the enormity of those potentially affected: "With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies."

The Anthem breach, which reportedly occurred on Jan. 29, presents a different sort of problem than credit unions have experienced with retailers; however, it could mean a potentially destructive problem for credit union members: identify theft.

Review for Control Systems

Times of crisis aren't optimal for reviewing a credit union's policies and procedures, but it's a good reminder for reviewing potential vulnerabilities because your security is only as solid as your control systems. Reviewing internal access controls and determining which employees need access to protected member and operational information is a good start. Verify which employees require necessary access and which employees have moved to different departments and no longer need such access. Also, look at authentication practices for members calling to access account information and member identity theft education programs.

Should thieves have a member's social security number, date of birth, address, phone numbers, etc., and those are pieces of information that credit unions use to authenticate member identity, then thieves can compromise security measures.

One necessary protective measure is multifactor authentication. "Multifactor authentication," says Idrees Rafiq, CU Resources' AVP of IT Consulting, "includes knowledge factors, or something only the member knows, like social security number, date of birth, etc.; something the member has, like a token, cookies in browser, etc.; and something the member is, like fingerprints."

Then multi-layer knowledge factors using something the member knows plus something else the member knows that is more personal, such as recent transaction activity, answers to "challenge" questions (e.g., "Where were you born?"), and a preset password.

The more authentication factors a credit union requires, the greater the difficulty for identity thieves to provide false credentials.

Rafiq says, "The rule of thumb is, don't authenticate a member's identity using data that a credit collector would have, similar to the data allegedly breached at Anthem."

How Can Credit Unions Help Their Members?

Anthem operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink. Credit unions can suggest to their members who are Anthem-company accountholders to immediately change their passwords.

Anthem has pledged to offer free credit monitoring and identity protection services to all affected customers. These services will keep an eye on consumer credit reports for known indicators of identity theft and send alerts, look for changes of address, and alert the individual when someone else tries to use your identity. But consumers may not have time to wait for Anthem to complete its investigation; so encouraging members to sign up for credit monitoring and identity protection now can thwart any immediate attempts.

Members can also sign up for fraud alerts to caution lenders and others to take special care to ensure about an individual's identity before issuing new credit. It won't necessarily stop a fraudster, but it will raise a red flag to take extra steps, including potentially contacting the consumer directly.

Another preventive step members can take is contacting each of the three major credit bureaus—Experian, Transunion, and Equifax—and asking that a fraud alert be placed on their credit file. That will stay on the consumer's report for 90 days, a good interim step until credit monitoring is in place by Anthem or another company the individual signs up for.

A more extreme measure is a credit freeze, which will stop any kind of credit being extended at all. Consumers should not take this step without thinking it through because in addition to thwarting thieves, it would also prevent the consumer from getting any kind of new credit card, including an in-store card, or a loan without notifying the bureaus first.

Lastly, it only takes two pieces of information for a crook to snag a consumer's tax refund by filing your taxes early and claiming it for themselves. Consequently, credit union members may want to file as early as possible to avoid this problematic scenario.