The Domino Effect of Shared Systems and Data Breaches

The University of California, Los Angeles (UCLA) Health System, Community Health Services (CHS), Anthem Inc., Premera Blue Cross, the U.S. Office of Personnel Management (OPM), and United Airlines have all recently experienced data breaches. Theoretically, all of these breaches may have provided state-sponsored malicious actors with additional intelligence to select their next targets.

What many may not realize is that several of these entities share information and systems. For example, the UCLA Health system has an existing relationship with Anthem in which they exchange patient, financial and testing information. The Anthem, Premera and OPM breaches have been linked to the same Chinese hacking group. Based on the relationship of the victims and the data that was taken, we can assume the intelligence was used to further the group’s target value with every next hack.

Something to think about when it comes to healthcare attacks is that when attackers steal patient information through infiltration of database servers, doctors’ login information is usually on those servers as well. That login information can give attackers access to a doctor’s services and partners.

Additionally, doctors are human and don’t necessarily want to keep track of or remember multiple passwords. Continuous use of the same password allows for phishing from company to company, creating a chain of data compromise from one business to all the others in its supply chain or partner network.

The Transportation Security Administration (TSA) and 10 airlines share data via a Known Traveler Number (KTN) that track travelers in the enrolled program. This shared number is a way for malicious actors to access manifests from United Airlines for the purpose of tracking travelers. How about the other nine airlines? How are the state-sponsored actors using this data? One theory would be that they are tracking the movements of U.S. government intelligence analysts, agents and military personnel in and out of foreign countries. This gives overseas governments intelligence to utilize in counter intelligence and compromising individuals’ security clearances. 

What I take away from all this is that most data breaches, even those affecting small to medium size businesses, have a farther-reaching effect than that of a single breached business.

  • We saw the compromise of regional medical services (UCLA) that had access to national insurers.
  • We saw those national insurers (Premera, Anthem) become exposed and leak information to government agencies (OPM/TSA).
  • Now, travel information (United) about government personnel (CIA, NSA, FBI) is being tracked. This all potentially started from a breach of a regional medical facility.

Companies can protect themselves from these scenarios with these best practices:

  • Correlate internal physical and cyber activity to locate anomalies of malicious behavior.
  • Maintain active intelligence of open and closed source forums in the dark web.
  • Talk to your supply chain and partners about meeting high security standards.
  • Pay attention to security researchers by following blogs, social media feeds, newsletters, and forums.
  • Enable your security personnel to enforce security policy and procedures and deliver consequences for violations.
  • Scan and test your hosts, systems, networks, applications, shared environments, and people on a regular basis.
  • Supply the necessary people, processes, and technology to protect your organization efficiently.

Connection between UCLA Health and Anthem
Anthem Article

Connection between Anthem and Premera
Computer World Article
Premera Article

Anthem, Premera and OPM
FireceHealthPayer Article
IT Governance Article

Nevada Shooters Forum Thread
House Committee Document

TSA and 10 Airlines
TSA Application Program 
Bloomberg Article

About the Author

Stephen Coty - Chief Security Evangelist at Alert Logic

Stephen Coty

Stephen Coty originally joined Alert Logic as the head of the Threat Research team, where he led the effort to build threat content and deliver threat intelligence. He later became the Chief Security Evangelist for the company. Prior to joining Alert Logic, Coty was the Manager of Cyber Security for Rackspace Hosting, and has held IT positions at multiple companies, including Wells Fargo Bank, Applied Materials, Stanford Medical Center and The Netigy Corporation. He has been in the Information Technology field since 1993. Research has been his primary focus since 2007.

@StephenCoty | More Posts by Stephen Coty