Sunday, March 22, 2015

Open Letter to Premera Blue Cross CEO Jeffrey Roe

22 March 2015

Dear Mr. Roe,

My wife and I were Premera Blue Cross customers during my tenure with Microsoft. During that time, we both had surgeries done and she has a long history of medical treatments. In other words, Premera Blue Cross holds a lot of very sensitive information on both of us, separate and apart from our social security numbers, dates of birth, and other personally identifiable information. I'm sure that many of your customers could say the same. This open letter serves to notify you of my intention to see that Premera Blue Cross is made an example of for the insurance industry, much like Target was for the retail industry for the following reasons:

You Knew About The Problems Beforehand And Didn't Fix Them

The U.S. Office of Personnel Management's Office of the Inspector General conducted an audit of Premera's controls regarding the protection of federal employees' personal information. Your predecessor Gubby Barlow received the results on April 18, 2014, three weeks before attackers gained access to your networks. Here are my top three:

Primera failed to implement its own patch policy leaving its network exposed to hackers who monitor patch announcements and then look for targets who are slow to implement those patches.

Primera persisted in using un-supported and/or out-of-date software which is essentially an always-open door to attackers.

You had servers that standard vulnerability tests revealed were insecurely configured. Malicious hackers frequently use those same vulnerability testing tools to identify which servers on a network will be easiest to crack.

You claimed that your company suffered a "sophisticated attack". Considering the above issues, I highly doubt that. Any one of those would allow even a novice hacker (or script kiddie) to gain access to your network. To have all three means that your IT department has been negligent at best. To then respond to the IG's audit by saying that they'll be remediated in eight months instead of immediately tells me that the security of your customers most sensitive information is simply not a priority for you, your board, or your senior executives.

Two Years Of Free Credit Monitoring Is Laughably Inadequate

Your notification letter contains a paragraph entitled "What is Premera doing to protect you?". Let's start with the fact that the state of your network security pre-breach tells me that you didn't protect me before the breach, and your offer of free credit monitoring certainly won't protect me after the breach. That's because the risk for your customers goes WAY beyond simple identity protection. They become targets for new spear phishing attacks with the end result being the the customers' banking information and/or entree' to the next corporate network - probably an employer of one of Premera's customers such as Microsoft, Amazon and Starbucks to name a few. 

While companies like yours have frequently gotten away with giving customers whose information has been compromised while under your stewardship nothing more than free credit monitoring service, that time is coming to an end because it does not address the vast potential for harm that Premera's poor security practices have negligently permitted.

Inadequate Breach Response

Your customer notification letter didn't contain enough information to know the state of our sensitive data. It should specify what happened. Your job is to protect your customers by providing enough information for us to gauge the seriousness of the breach, not make it easier for your breach remediation company to gather information for their own purposes and benefit. 

Incident Responders Cannot "Clean" Your Network
If you believe that your network is now "clean" and will stay that way, you've been misinformed. Incident responders cannot give any company a "clean bill of health", because no one has sufficient visibility across a global network with tens of thousands of endpoints accessed by thousands of employees and vendors, any one of whom could have their network credentials used by malicious actors who are simply dormant during the investigation. The proper assumption for companies like yours to make about the state of their network is that it is either in a state of breach currently or it will be tomorrow. Your goal should not be to keep attackers out. It should be to keep your critical data, especially your customers' data, secure. 

Instead of wasting six to seven figures on incident response, you should spend at least some of that money finding and hiring an experienced Chief Information Security Officer who can properly manage the security of your network; something that Premera apparently has never seen fit to do. The rest of it should be spent on better securing your customers personal and clinical data so that even if an attacker has access to your network, they can't access the data that you should be protecting. 

Then you won't have to send me a breach notification letter with ambiguous language like "attackers may have gained access to your data". Instead, you'd be able to say "Mr. Carr, we had a breach but your data is safe." 

Unfortunately, you can't say that and I'm forced to do what I can to hold companies like yours responsible for more than just two years of credit monitoring.


Jeffrey Carr
President and CEO, Taia Global, Inc.


  1. I agree with the letter, but I think there's a much bigger problem here, and not with Premera. Why does the US insist on using non-secrets as identity validation factors? My SSN is NOT a secret, given that I am required to give it away to most any business with which I do business with. My mothers maiden name is NOT a secret, it is public record. So is my date of birth. My first pet's name is a secret UNTIL I am asked to give it away to the first company that asks.
    This is severely broken, and I am appalled that US law defends these practices, favoring convenience over security. Companies should not be able to make a customer responsible for a financial or otherwise sensitive action without proper validation that doesn't rely on public information as the validating factor.

  2. Premera’s response further exposes customers to breaches. Instead of hosting their response on their own website(probably for PR purposes) they created a 3rd party site that uses no encryption and has no certificates. Thus, I am open to man in the middle attacks while entering my data for the purpose of signing up to protect my data. It is interesting to note that a phishing site with the name was created a full 3 days before went online. Even without the potential for man in the middle attacks, by creating a second website for dealing with the crisis they created the potential for more phishing and loss of trust.