The recent Carefirst breach is just the latest in a rash of large-scale healthcare breaches, but the prevailing notion in the aftermath of this breach is that it isn’t as severe as the Anthem or Premera breaches that preceded it. The thinking is that the victims of this breach dodged a bullet here, since attackers only accessed personal information such as member names and email addresses, not more sensitive information like medical information, social security numbers, and passwords. However, attackers may still be able to use this partial information in a variety of ways, and a partial breach should not be dismissed as trivial.
The first, most obvious way attackers will use this information is to send phishing attacks. We’ve covered this topic after breaches in the past and TrendMicro summarized the situation nicely on its blog. So yes, Carefirst members should be wary of potential phishing emails, but no one should wait for a breach to be vigilant about phishing.
Are phishing attacks the only way attackers can use this information? There may be a sense of relief that victims at least avoided the risk of identity theft, but even partial information about Carefirst’s members can help enterprising criminals.
For Carefirst’s attackers (who had been present on the network since June 2014), the key to profiting from this attack is to sell this information. Names and email addresses by themselves are valuable to spammers (one can imagine spam hawking cheap prescription drugs being sent a list of healthcare users), but names and email addresses also hold value. Fresh email addresses are also valuable to people who are building out botnets.
Most importantly, there is an entire cottage industry of people who go to great lengths to upgrade partial data to make it more valuable. On the Dark Web, one can easily find postings buying and selling this kind of partial information.
Below is a screenshot showing a forum post looking to purchase any kind of databases containing private user information. (Thanks to Ronnie Tokazowski for pulling this screenshot.)
How could attackers use this information? Take, for example, a list containing phone numbers and debit card numbers, but no PINs. A debit card number without a PIN isn’t useful, but an attacker could easily orchestrate a phone scam by posing as the victim’s bank, gain legitimacy by correctly stating the victim’s card number, and ask the victim to verify his/her identity by providing the PIN.
Look no further than the recent IRS breach to see how attackers may gain the coveted, sensitive information needed to steal identities by piecing together partial bits of information. Attackers were able to access full tax returns through the IRS’ Get Transcript application, which required attackers to answer personal questions, making it likely that the attackers had some prior knowledge about their targets. The IRS stated as much, saying, “These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.”
Note that I’m not trying to draw any connection between the IRS breach and Carefirst. We don’t know how the IRS attackers gathered their intel, it was likely from a number of sources. We also don’t know where Carefirst data has gone either, it’s just important to note that these “less severe” breaches still have consequences.