Summary
In 2015 the US health insurer Anthem disclosed the theft of about 78.8 million records, then the largest healthcare breach in history. It began in February 2014 with a single spear-phishing email: an employee at an Anthem subsidiary clicked a link to we11point.com, a look-alike of the company's real wellpoint.com domain, which planted malware and handed attackers a foothold. From there they captured the credentials of a database administrator and queried a data warehouse where nothing was encrypted, walking out with names, dates of birth, Social Security numbers, addresses, and employment and income data. US prosecutors later attributed the intrusion to a China-based group and indicted Fujie Wang. It is the lesson in phishing-resistant MFA, encrypting sensitive data at rest, and watching privileged database access.
How it happened
The way in was a forged trust. In February 2014, attackers sent a targeted phishing email to a handful of Anthem employees, at least one of whom clicked a link to we11point.com. The domain was a careful look-alike of wellpoint.com, Anthem's former corporate name, with the two letter L's swapped for the digits one-one, a difference almost invisible at a glance. The click installed a backdoor and gave the attackers their foothold.
From there it was quiet escalation. Over months they performed lateral movement and eventually obtained the credentials of a database administrator, which was effectively a master key to Anthem's enterprise data warehouse. Crucially, none of the data in that warehouse was encrypted at rest (HIPAA did not require it), so a stolen query account was enough to read everything in plaintext. The breach was discovered in late January 2015 when a database administrator noticed a query running under his own credentials that he had not started; by then the attackers had been running queries since around December 2014, compressing the records into encrypted archive files, shipping them to computers in China, and deleting the archives to cover their tracks. Investigators tied the operation to a China-nexus group (Symantec called it Black Vine, citing its Mivast backdoor); this was an APT after intelligence, not a criminal cash-out.
The damage
About 78.8 million people's records were taken: names, dates of birth, Social Security numbers, home and email addresses, and employment and income data. Health-sector identity data is uniquely toxic because, like a Social Security number, it cannot be changed. Tellingly, the stolen records never surfaced for sale on criminal markets, which strengthened the assessment that the goal was espionage rather than fraud. Anthem agreed to a $16 million settlement with US health regulators, the largest such penalty at the time (the regulator faulted it for never running an enterprise-wide risk analysis and for weak access controls), on top of a $115 million class-action settlement, then the largest ever for a data breach. The same China-based group was charged with also intruding on three other US businesses, and Fujie Wang, indicted in 2019, is believed to be in China and beyond reach.
Why Anthem still matters
Anthem is the clean example of a chain every defender should recognise: one phishing click becomes a foothold, a foothold becomes a stolen admin credential, and an over-privileged admin credential reads a warehouse of unencrypted personal data. Every link is breakable. Phishing-resistant MFA stops the clicked link from becoming an account takeover. Encrypting sensitive data at rest means a stolen query account yields far less. Least privilege on database and warehouse accounts, plus alerting on bulk or unusual reads, turns a quiet mass-export into a loud one. Anthem was part of the same wave of Chinese intelligence-gathering against Americans' personal data as the OPM breach the same year.
How to fix it
- Reset and re-enroll the compromised and privileged accounts on phishing-resistant MFA, and revoke active sessions.
- Encrypt sensitive datastores and tighten which accounts can run bulk queries against them.
- Hunt for the phishing foothold and lateral movement, and rebuild compromised admin identities.
- Notify affected individuals and regulators, and offer monitoring; healthcare PII does not expire.
How to avoid it
- Require phishing-resistant MFA (FIDO2/WebAuthn) so a single clicked link cannot become an account takeover.
- Encrypt sensitive data at rest and control the keys, so stolen database credentials yield far less.
- Apply least privilege to database and warehouse accounts, and alert on bulk or unusual reads of PII.
- Train and test against look-alike-domain phishing, and block newly registered look-alike domains.
- Minimize the sensitive data you retain, and segment it away from general-purpose systems.
References
- https://www.justice.gov/usao-sdin/pr/member-sophisticated-china-based-hacking-group-indicted
- https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html
- https://www.hipaajournal.com/foreign-government-backed-hacker-behind-2015-anthem-breach-8638/
- https://www.infosecurity-magazine.com/news/anthem-breach-symantec-black-vine/
- https://www.bankinfosecurity.com/anthem-update-a-7946
Related vulnerabilities
All OpSec →- HIGHOPSEC-INTERNET-ARCHIVE-2024
The Internet Archive, the nonprofit behind the Wayback Machine, had a brutal October 2024: a data breach, a website defacement, and a wave of DDoS attacks, all at once. Underneath the chaos was an unglamorous root cause. An authentication token sat in plain text in a public config file; the team rotated it repeatedly, but each new token landed right back in the same exposed file, so the leak never actually closed. With it, an attacker downloaded the source code, found more credentials hardcoded inside, and walked out with a database of 31 million users. Weeks later a second token from that same stolen code, for the support system, exposed 800,000 support tickets, some with people's ID documents. It is the lesson that rotating a secret is useless if it goes straight back into a public file, and that one leak unravels everything.
- HIGHOPSEC-MERCEDES-BENZ-2024
Publicly disclosed January 30, 2024, a Mercedes-Benz employee accidentally committed a GitHub authentication token to a public repository, leaving it exposed from September 29, 2023. RedHunt Labs found the token during an internet-wide scan; it granted unrestricted, unmonitored access to Mercedes-Benz's internal GitHub Enterprise Server, allowing anyone to download private source-code repositories that could contain API keys, cloud access keys, database connection strings, blueprints, and SSO passwords. After notification, the token was revoked on January 24, 2024. Mercedes-Benz stated customer data was not affected but could not confirm whether anyone besides the researchers accessed the repositories during the exposure window.
- CRITICALOPSEC-MIDNIGHT-BLIZZARD-2024
In January 2024, Microsoft revealed that Russia's foreign-intelligence service, the same APT29 behind SolarWinds, had been reading the email of its senior leadership. The way in was almost insulting in its simplicity: a forgotten, non-production test account with a weak password and no MFA. The attackers guessed the password by spraying common ones across many accounts, then pivoted through a forgotten over-privileged application to grant themselves access to corporate mailboxes, including those of executives and the security and legal teams. It is the lesson that your security is only as strong as the account you forgot about, and that even Microsoft's perimeter fell to a missing MFA checkbox.
- HIGHOPSEC-OKTA-2023
Okta is an identity provider: the single front door thousands of companies use to log their employees into everything. So when Okta's customer-support system was breached in late 2023, the blast radius was a who's-who of security-conscious companies. The entry point was almost mundane. An employee had signed into their personal Google account on an Okta laptop and saved a corporate service-account password into it; the attacker got that password and walked into Okta's support system. There they downloaded diagnostic files that customers had uploaded, some of which contained live session tokens, and used those tokens to step directly into the customers' own Okta environments. It is the lesson that session tokens are as good as passwords, support systems are production systems, and a personal browser profile can be the crack in the wall.
- CRITICALOPSEC-23ANDME-2023
23andMe held the most personal data there is: people's DNA. In 2023 attackers got into more than 18,000 accounts and, through a single social feature, turned that into the genetic and ancestry data of roughly 6.9 million people. The break-in required no flaw in 23andMe at all. Attackers simply took username-and-password pairs leaked from other companies' breaches and tried them, betting, correctly, that people reuse passwords. The accounts had no MFA, and 23andMe did not notice the five-month wave of automated logins. From those footholds, the attackers scraped relatives' data through an opt-in feature, and the fallout, fines, a $50 million settlement, and ultimately bankruptcy and a fire-sale of the DNA database itself, shows that a breach can be fatal even when your own systems were never hacked.
- HIGHOPSEC-MICROSOFT-SAS-2023
Microsoft's AI research team shared open-source training data via an Azure Storage Shared Access Signature (SAS) token committed to a public GitHub repo around July 2020. The token was misconfigured to scope access to the entire storage account with full-control permissions instead of the intended read-only bucket, so anyone with the link could view, delete, and overwrite files. Wiz researchers discovered it in June 2023, finding 38 terabytes of exposed internal data including two employees' workstation disk backups with secrets, private keys, passwords, and over 30,000 internal Teams messages. Writable pickle-format models created a model-poisoning supply-chain risk; Microsoft revoked the token and reported no customer data was exposed.