Anthem disclosed yesterday evening — the second largest US health insurer, eighty million current and former member records, names, dates of birth, member identifiers, Social Security numbers, addresses, employment information, and income data (Anthem statement, anthemfacts.com). The notification letter and Joseph Swedish's open letter went out within hours, which is faster than the industry norm and worth noting in itself.
The clinical data sits on different systems and is not, on Anthem's account, in the affected dataset. That separation, if it holds, is the single piece of good news in the disclosure. The rest is bad on a scale that matters.
What is publicly known so far. Anthem says the intrusion was discovered "late last week" — the press accounts are converging on the 27th of January as the discovery date and an unspecified earlier date as the start of the access window (Wall Street Journal coverage). The mechanism reported by people speaking on background is credentialled access — administrative credentials, not exploitation of an externally facing flaw — followed by database queries that pulled the affected records out. That story will firm up or change in the coming days. I file it as preliminary.
For pen testing teams looking at the same posture in financial-services and insurance environments, the operational read-across is uncomfortable but obvious. The compromise is described as starting with credentials. Once an adversary has credentials, the controls that matter are not the perimeter ones; they are the ones that detect anomalous behaviour by an authenticated account inside the data plane. Database query monitoring, behavioural baselines on bulk extracts, alerts on unusual time-of-day activity by privileged users. That is what would have caught this earlier, on the assumption that it took longer than a single shift to extract eighty million rows. I want to know how long the access window was — that number, when it lands, will be the more useful number than the record count.
I have spent today on three things. First, a note to the manufacturing client whose vCISO scope I am closing on this month — they hold a comparable volume of personally identifiable data on workforce records, and the Anthem disclosure is the kind of newsroom story that gets the board's attention. The note frames the question correctly: the issue is not whether they are "as secure as Anthem"; it is whether they have visibility into what their privileged accounts are doing with their data stores. Second, an internal review of our own SOC playbook on credentialled-but-anomalous database activity. We have the rules; I want to confirm they have fired in the past quarter on real customer data and that the analysts know what to do when they fire. Third, conversations with two pen testing prospects whose data this morning was a pricing problem and this afternoon is not.
The attribution discussion has already started. Several reports are pointing toward a state-level actor — there is loose chatter about overlap with infrastructure or tooling that has been seen in earlier intrusions against other US targets. I will not write the country down. The signal-to-noise on attribution in the first week of any disclosure is poor, and the Mandiant APT1 report from 2013 (apt1-report) is a useful reminder that even careful, evidenced attribution takes months of work. The investigators on the Anthem case will be six days in by Friday.
Two things I am watching. The class action exposure — given the SSN content and the number of states affected, the litigation tail will be very long, and it will set precedent that other carriers will be measured against. And the specific question of whether the data was encrypted at rest. The early reporting suggests it was not. That position has been defensible on industry-norm grounds for a long time, in part because of the operational cost of selective field-level encryption against active workloads, in part because of the way HIPAA's "addressable" rather than "required" framing for encryption is interpreted by counsel (HIPAA Security Rule guidance, HHS). It is not going to be defensible after Anthem. The conversations I am having with the financial-services Towry team this week are going to be different by next week.
The disclosure cadence here is, on its face, well handled — fast notification, clear letter, dedicated information site, free credit monitoring. That is the modern playbook and Anthem are following it. None of that changes the underlying problem, which is that the database is a single, queryable repository of the most sensitive identifiers in the United States, and the protective architecture around it was credential-trust. Moving that architecture is the work.