Excellus works to remediate IT systems following breach

IT expert wonders if total number of affected customers could rise  

 

Excellus BlueCross BlueShield says it “had no indication” that a cyberattack on its information-technology (IT) systems had occurred until a cybersecurity firm it had retained discovered it.

 

That’s according to Elizabeth Martin, vice president of communications at Excellus. Martin provided responses to CNYBJ follow-up questions in an email after the health insurer announced the cyberattack in a news release on Sept. 9. 

 

Rochester–based Excellus, Central New York’s largest health insurer, said it first learned about the breach on Aug. 5. However, the company’s investigation revealed that the initial attack occurred on Dec. 23, 2013.

 

The breach may have affected the personal information of about 7 million Excellus customers. The same attack may have impacted an additional 3.5 million customers of additional affiliates of the Lifetime Healthcare Companies, Excellus’ parent company.

 

Once the firm Mandiant told Excellus about the breach, the company started working to “remediate our IT systems of the issues created by the attack” and notified the FBI, Martin said.

 

“In addition to the steps we took to remediate our IT systems, we are also working with Mandiant to strengthen and enhance the security of our IT systems moving forward,” said Martin.

 

Mandiant is the incident-response division of FireEye Inc. (NASDAQ: FEYE), a Milpitas, California–based cybersecurity firm.

 

CNYBJ asked Excellus why it waited more than a month to announce the breach after learning about it.

 

“Since the initial indication of an attack on August 5th, our priority has been to figure out who, if anyone, was impacted and to get services set up to assist those individuals. We did not contact customers before that happened because there is no evidence that any information was actually removed or that information has been used inappropriately. And, this did not disrupt any services or impact the integrity of our data,” Martin said in the email response.

 

Excellus had retained Mandiant earlier in the summer after breaches among other insurers and businesses “triggered our desire to have a forensic assessment performed.”

 

Mandiant started its work in late July, according to Martin.

 

Excellus is mailing letters to affected individuals and providing two years of free identity-theft protection services through Kroll. That’s a New York City–based firm that specializes in risk mitigation and response services, including credit monitoring through TransUnion, according to Excellus. Kroll’s focus areas include cyber security, investigations, and data-breach response, according to the company’s website.

 

Excellus has established a call center for members and other affected individuals.

 

It also launched a website (www.excellusfacts.com), where members and other affected individuals can view frequent questions and answers and sign up for the free credit-monitoring and identity-theft protection services.

 

Individuals who believe they are affected by this cyberattack, but who have not received a letter by Nov. 9, are encouraged to call the number listed at that website, Excellus said. 

 

“Tip of the iceberg?”

When a company has been breached and first reports the number of affected customers, it is typically “just the tip of the iceberg.” 

 

That’s according to Tim Erlin, director of information-technology security and risk strategy at Portland, Oregon–based Tripwire Inc., a provider of advanced threat, security, and compliance services. 

 

Erlin told CNYBJ that he believes Excellus and Lifetime Healthcare are “hedging their bets a little” by estimating the potentially affected number of customers based on their overall customer base.

 

“…which means that they don’t actually know exactly how many records were compromised, or they’re not sharing that information,” says Erlin.

 

For health insurers and retailers that have dealt with a breach, the pattern seems to be that they initially announce an affected number, and once the authorities have investigated further, “they realize that number is larger,” he adds.

 

It could mean that the attack compromised other records, or that it extends to a third party.

 

“It’s been a fairly consistent pattern,” says Erlin.

 

Erlin also found Excellus’ wording in its news release “interesting,” pointing to the line that reads, “the investigation has not determined that personal information on the company’s IT systems was removed or used inappropriately.”

 

“And what’s interesting about that is that it doesn’t say that it didn’t happen. It just says they haven’t found the evidence yet,” says Erlin.

 

He figures it’s another “indication” that the probe may reveal more about the data that the hacker accessed and what happened to it.

 

The investigation into the breach and cyberattack is likely “a lot of work and difficult, too.”

 

“These situations aren’t simple. They’re technically complex,” says Erlin.

 

The hacker who first attacked in December 2013 has had time “to do an awful lot” in the nearly 20 months that passed before the investigators discovered the attack, he notes.

 

When asked if the cyberattack indicates a flaw in Excellus’ information-technology system, Erlin says it’s hard to know because the company didn’t release details of how the attack occurred.

 

“Generally speaking, a successful cyberattack has to exploit either a flaw in a particular piece of software or a system in place, or a flaw in a human being or a flaw in process,” says Erlin. 

 

A flaw in the software means the hacker found a vulnerability and exploited it. 

 

An error in a human being would involve an attacker compromising a person in order to gain access to a system. 

 

An example of a process defect could involve someone leaving a default user name and password in place rather than changing it and then someone can guess that password. 

 

“Excellus hasn’t disclosed what type of flaw was exploited, but something along the way wasn’t set up correctly or wasn’t patched correctly and that allowed an attacker to gain access to these records,” Erlin says.