Friday, June 5, 2009

Aetna - Hard Lessons from a Web Site Compromise

Sadly, it's not too newsworthy [anymore] when yet another company's web site gets hacked and the results are felt almost immediately by its users. What worries me is when an article like this hits the wire: Aetna says web site hacked. Read the article, then keep reading here.

After reading that article I was a little disturbed by the statements made, so I contacted Cynthia Michener at Aetna directly, and asked for her comments. Interestingly enough... things aren't always what the mainstream media [re]prints them out to be.

What's worse: getting hacked or not knowing how you got hacked? I'm going to make a leap here and say that the only thing that's worse than getting hacked, and having to tell the world about it is then saying you have no idea how the "bad guys" got in. Read the article carefully?

"We know for certain that the e-mails were accessed, we don't know whether or not anything else was accessed," she said. "But we're erring on the side of caution, we want people to know."

A contractor has done a "thorough forensic review" but was unable to find out how the hackers penetrated the site, Michener said.

What a statement.

Reading that rattled me so much I went back to Cynthia and got some clarification, and to find out if there was any truth to that. First off, as she aptly stated, let's be clear - there was no banking, financial, or health data here... just job applicant information which happened to include emails, and SSNs (Social Security Numbers). Oh good... no, wait, well that sucks. By Aetna's numbers 65,000 people were in this system when it was compromised, and information that was contained in this jobs site included name, address, SSN, and some other job-related information. Fair enough... but let's focus on the fact that neither Aetna [nor the outside contractors they hired] could pin-poing the source of the hack or how the attackers got the data in the first place.

At the outside, this is a clear demonstration that whom ever the hacker was (or whom ever they were), they were obviously pretty good. Or... Aetna's security and their contractor is pretty bad... or the systems they're using are inadequate. No matter what this doesn't spin well for Aetna. We've all discussed that it's not if but rather when a company gets hacked. Taken a step further it would follow that it is critical to have layered defenses and layered logging to tip off the system when an attack is successful... this is what appears to be missing here.

On the other side of the coin, you have to worry about the deeper question here. Aetna is making a statement that they were hacked, they investigated, and according to the article I quoted above... they gave up. This isn't entirely true, as Cynthia pointed out to me...
"In addition to the below information on the investigation and those affected (which I encourage you to read/use as this info will make more sense), here's some more information. To investigate, we hired an industry-leading, third-party party computer forensic and security vulnerability analysis vendor to work collaboratively with the web site vendor to investigate this information. After a thorough forensic review of all available records of data access, the third-party expert has nevertheless not yet been able to pinpoint the precise source of the breach. We do know that the phishing e-mails employees and others received requested that the user respond to an e-mail address traced to a server in Russia. The e-mails themselves originated from numerous dummy e-mail accounts set up with an Internet web-mail service provider. Again, we don't know whether any other information was accessed or how these e-mail addresses were acquired by the third party. However, to err on the side of caution, Aetna decided to notify and offer credit monitoring to anyone who had a social security number in the database. Our investigation is continuing."
As the investigation continues I do hope that Aetna discovers the source of the stealthy hack. Furthermore, I hope they learn from this and implement better security counter-measures... not necessarily to do a better job of keeping the bad guys out - but to be able to figure out what they did and how they got in when the inevitable happens. Overall I think Aetna handled this quit well, erring on the side of caution is always a good thing.

Some info from Aetna's PR channel...
  • Incident initially discovered week of May 4th, 2009
  • Emails stolen were used to launch a spam campaign aimed at soliciting further personal information from Aetna job applicants
  • Aetna immediately (not sure how quick this was...) took the job site down, notified people, and posted notices on their website
  • Approx. ~65,000 people who were offered jobs with Aetna had their information potentially compromised
  • Information included: Name, address, DOB, SSN, phone number, and other job-related information
  • Majority of the people compromised are current/former Aetna employees
In the final analysis... I think the media handled this poorly by mis-quoting and mis-understanding the incident. I think Aetna did a decent job with identification, notification and triage of the incident. My concern continues to be that they still do not know how the incident was perpotrated... that should keep their CISO up at night.

1 comment:

Rafal Los said...

... of course (as someone just pointed out to me) there is another possibility here.

Could someone have custom-written some malware that simply took the information (such as emails) from the HR person's email client? Quite possibly the answer is yes since no other data was seemingly used (that Aetna knows of).

Interesting theory... too bad you didn't identify yourself, mystery person.