US regulator says Anthem “refuses to cooperate” in security audit by John Zorabedian.
From the post:
Anthem “refused to cooperate” with US regulators attempting to conduct vulnerability scans and configuration tests on its IT systems.
The Inspector General of US Office of Personnel Management’s (OPM) recently attempted to schedule a security audit of the health insurance giant.
This was in the wake of Anthem’s massive data breach that exposed sensitive data on nearly 80 million customers – and non-customers, it later turned out.
Because Anthem provides insurance coverage to federal employees, the OPM’s Office of the Inspector General (OIG) is entitled to request to audit the company, but the company is allowed to decline.
Anthem turned down the OIG’s request, citing corporate policy against allowing third parties to connect to its network.
Corporate policy was insufficient to keep out the hackers that stole 80 million records. Just as passing new penalties for security breaches is insufficient to increase computer security.
I suspect corporate policy is an excuse to avoid admitting their security is managed by a part-time sysadmin who is moonlighting from their day job as an NSA programmer. 😉
It’s too bad the law is in such a state that hackers can’t volunteer to help Anthem with penetration testing, etc., and then tweet the issues with the hashtag #AnthemAudit.
When President Obama isn’t busy declaring sanctions on our next nation victim he talks a lot about cooperation to increase security. Hackers cooperating to help with penetration testing sounds like an example of that sort of cooperation. Does it to you?