I recently received a letter via postal mail from some company of which I have never heard named Anthem, Incorporated which “discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information relating to consumers who were or currently covered by Anthem of other independent” health care “plans that work with Anthem.”
Sophisticated? Such as what Marriott calls the AC Hotel Coslada Aeropuerto in Madrid of which I posted a review? Am I supposed to be impressed? Am I supposed to think that because the attack was “sophisticated” that I should think to myself “Well, it was sophisticated, so I will give the company I never heard of a break; because if the attack was not sophisticated, then I would be angry because the company did not do enough to prevent such an attack.”
Guess what? I am angry anyway. One of the companies with which I once had a health insurance policy is apparently under the Anthem umbrella; but I had not been a customer in years.
Great. I did not have to do anything — even have an account for years — and I may still have been subjected to a cyber attack.
According to that letter — of which the entire version is found here — the Federal Bureau of Investigation of the United States is currently involved in this case.
“Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion”, wrote Brian Krebs — the founder of KrebsonSecurity — in this article posted back on February 9, 2015.
I would not have as much of an issue with companies if they were not becoming more and more dependent upon doing business virtually in the name of increased profits — and apparently rendering them and their customers more vulnerable to cyber attacks in the process. Let us use Adobe Systems as an example. They have produced and marketed software primarily to the graphic arts, photography and videography communities for greater than 33 years. I still have in my possession Photoshop version 0.8 — you read that correctly, as Photoshop had not been released as an Adobe product as of yet during its transition from its origin as a scanner “plug-in” for scanners with version 0.8 — on a hard floppy disk with a capacity of one megabyte.
An announcement from Adobe on May 6, 2013 at a conference revealed that their Creative Suite line of products — which included such items as Photoshop, Illustrator or InDesign, depending on the configuration — would be discontinued and replaced by Creative Cloud, where customers would be forced to pay a subscription or other charge for software which they no longer had the license to own.
Later that year, Adobe Systems endured a major security breach of “sophisticated” attacks where significant portions of the source code for the software by the company were stolen and posted via the Internet — reportedly resulting in greater than 150 million records of the customers of Adobe being readily available for download…
…and last year, a power outage brought down Creative Cloud for a day, according to this article written by Tom May of Creative Bloq — meaning that customers were inconvenienced because they could not log into their accounts and conduct business as normal.
Despite the technological snafus, do not look for Adobe to reverse course. A record 70 percent of the $1.11 billion in revenue during the first quarter of 2015 from Adobe was from recurring sources, compared to 52 percent of revenue during the first quarter in fiscal 2014.
Recurring sources would translate to those subscriptions many of their customers are forced to pay; and for a percentage of those customers, that means paying significantly more for software which they used to have a license to own and opt not to purchase every time a new version was released…
…and with software application programs such as Photoshop — whose core functionality of tools for the manipulation and retouching of images has basically remained unchanged since that version 0.8 which I have — that relates to some customers as paying for new features which they most likely do not need or will ever use.
In the case of Adobe, a choice should be offered to its customers: either subscribe to Creative Cloud or purchase Creative Suite for access to its software. Those customers who feel squeamish about being subject to cyber attacks and power outages — as well as those who would not benefit from a subscription model — should be able to purchase a license to software which they can keep on their shelves as a backup in case of a technology failure. Give your customers a choice.
Now think about this with airlines, lodging companies and rental car companies: how many of those companies have managers who would like to have you purchase “enhanced” products and services which you may not ever use — and have the transaction done electronically?
In some ways, this has already happened: remember when airline tickets used to be purchased via the telephone — as well as at airport counters and city ticket offices? Remember when airlines would entice you with bonus miles and discounts simply for purchasing tickets via the Internet?
Now the reverse is true: unless you want to pay a minimum fee of $25.00 to purchase an airline ticket via the telephone or at the airport — city ticket offices no longer exist — you must purchase your airline ticket via the Internet.
The frequent travel loyalty programs of many of those same companies in the travel industry have recently been the target of cyber attacks within the past year alone — including British Airways Executive Club, Delta Air Lines SkyMiles, American Airlines AAdvantage, United Airlines MileagePlus, and Hilton HHonors. Additionally, Mandarin Oriental Hotel Group — a lodging chain of upscale hotel properties — reportedly confirmed that its hotels had been affected by a credit card breach on Saturday, March 14, 2015, according to this article written by Kevin of Economy Class & Beyond…
…and my Starwood Preferred Guest account was compromised back in January of this year where all of the Starpoints I had were wiped out of my account. My account has since been fully restored.
How many miles and points need to be stolen before additional secure measures — which inconvenience members of frequent travel loyalty programs as little as possible — are implemented and put in place? How many credit card accounts must be compromised — such as mine back in December of 2014 — before more is done by companies to better protect the very customers they serve? How many people need to endure the frustration and hassle of being victims of identity theft before the prevention of that happening in the first place is significantly more effective and the system of recovering from it is fixed in favor of those victims?
This cyber attack garbage is out of control. Companies in all industries which embrace technology to conduct commerce need to invest more of their profits to help protect their customers — past, present and future — from being subject to this nonsense…
…and I am tired of receiving letters from companies who alert me about having my vital information compromised and offer to do little about it — especially when I had not been a customer of a company for years.
Please do not misunderstand me — there are many cases where I prefer to use technology to conduct business and even embrace it. I like writing articles for The Gate, for example. I like using kiosks at the airport. I am constantly comparing fares for flights and room rates for hotel rooms…
…but the breaches of vital information and the risk of identity theft need to be reduced; and they need to be a priority to those companies who choose to move more and more of their business transactions electronically and virtually. Stop using words such as sophisticated to describe cyber attacks. Regardless of what fancy words they may use to solicit some form of sympathy or understanding from its customers, the truth is that their defenses against such cyber attacks were simply not adequate enough — period.
While there are ways you can reduce the risk of identity theft — of which I offer some advice here — you do not have complete control in reducing or eliminating that risk…
…short of becoming a Luddite and not using technology at all, that is; and even then, governments and certain companies will still have your vital information electronically on file — putting your information at risk anyway and possibly rendering you vulnerable to identity theft, from which is still difficult to fully recover once it occurs.
What do you believe is the answer to reducing or — although highly unlikely — eliminating the risk of having vital information breached? Have we become too dependent on virtual commerce? What should companies do with the vital information they possess on customers, both past and present? Should there be more traditional methods of backing up and storing information in addition to current virtual methods?