The attack on Anthem exposed 78.8 million records and according to experts that investigated the case, it was probably not a smash-and-grab raid but instead a sustained, low-key siphoning information over a period of months. The attack was conducted to stay below the radar of the company’s IT and security teams, using a bot infection to exfiltrate data out of the organization.
The records include names, dates of birth, addresses, and medical ID numbers, financial and medical records were not exposed.
Investigators reported that customized malware was used to infiltrate Anthem’s networks and steal data. The exact malware type was not disclosed but is reported to be a variant of a known family of hacking tools. However, an independent security consultancy reports that the attack may have been started up to three months earlier. The consultancy said that it noticed ‘botnet type activity’ at Anthem affiliate companies back in November 2014.
Back to the present, the settlement fund will cover costs incurred by victims of the breach.
According to the settlement’s “Alternative Compensation” section, customers who already received credit monitoring services can elect to receive a small cash compensation that ranges from $36 up to $50 in some instances.
The Judge Lucy Koh at District Court for the Northern District of California will review the proposal, it could be the largest data breach settlement in history if approved by the judge.
In March 2017, the US retail giant Target has entered a settlement with the US Attorneys General and it has agreed to pay $18.5 million over the 2013 data breach.
“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” lead attorney Eve Cervantez said.
As is usually the case with settlements, Anthem will not have to admit to any wrongdoing.
The settlement was also generous with attorneys, a third of the package for a total amount of $37,950,000 will cover their fees.
Experian, who is handling the credit and identity monitoring services for the victims of the Anthem data breach, will receive an additional $17m.
(Security Affairs – Anthem, Data Breach)