Data Loss Prevention (DLP) , Forensics , Governance & Risk Management
Destroyed Computer Hampers Lawsuit in Premera BreachDeveloper's Computer, A23567-D, Was Tagged End of Life and Destroyed
Plaintiffs in a class action suit against Premera Blue Cross allege the company destroyed a computer that may be key to proving sensitive data ended up in hackers' hands after a 2014 intrusion.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The allegation is contained in a motion filed Aug. 30 in the lawsuit, which is being considered in U.S. District Court in Portland. The motion also alleges Premera failed to preserve data loss prevention logs that may have indicated exfiltration.
The motion is asking a federal judge to instruct the jury at trial to assume that data exfiltration occurred. It also seeks to prevent any experts from testifying that no data exfiltration occurred.
Efforts to reach Premera officials weren't immediately successful. But a spokesman tells ZDNet the company disagrees with the motion and that it does "not believe the facts justify the relief plaintiffs have requested." The company plans to file a response, the spokesman says.
Premera Blue Cross announced in March 2015 that a cybersecurity incident had potentially exposed personal data for 11 million people, including Social Security numbers, bank account information, claims and clinical information (see Another Massive Health Data Hack).
FireEye's Mandiant incident response unit, which discovered the intrusion in January 2015, determined the attack took place in May 2014, meaning attackers may have had access for as long as eight months.
After Premera's disclosure, a bevy of class action lawsuits were filed, which have now been consolidated into one (see 5 Breach Lawsuits Filed Against Premera).
The data on the machine, dubbed A23567-D, is deemed by the plaintiffs as important in proving that personal data ended up with unauthorized parties. The motion contends that a preliminary analysis by Mandiant showed the computer to be central in exfiltrating data.
"Any files or remnants the hackers left on A23567-D during those contacts are now permanently lost, along with plaintiffs' chance to show evidence of exfiltration though the logs stored on the device," the motion contends. "Without access to that hard drive, trying to prove that the hackers removed Plaintiffs PII [personally identifiable information] and PHI [protected health information] through that computer is impossible."
A23567-D was one of 35 computers that showed sign of tampering as a result of the intrusion, the motion says. It was a key computer, as it belonged to a developer and had privileges for some of the company's most important databases.
The motion says that Mandiant analysts found that it was the only one of 35 computers to contain a type of malware called PHOTO, the motion says. The malware could be used to upload and download files, modify the registry and processes and execute programs.
Mandiant found that the intruders had daily contact with A23567-D between July 2014 and January 2015. The A23567-D communicated with a domain, www[.]presecoust[.]com, the motion says.
"The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera's network," the motion says. "This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose."
As a resultm "only A23567-D's destroyed hard drive could show what the hackers left behind during those contacts," the motion says.
Where's Computer #35?
Last November, lawyers for the plaintiffs asked for the forensic images of the 35 computers. However, Premera could only provide images for 34, saying the 35th had been destroyed, the motion says.
The motion alleges that Premera "willfully" destroyed A23567-D. According to Premera's discovery filings as quoted in the motion, however, its destruction appears to have been a mistake.
While Mandiant sequestered the other 34 computers, A23567-D was "unintentionally filed as end of life," Premera contended. It remained unused and offline for a year within Premera's Client Technology Services.
Eventually, it was sent to Premera's personal computer distribution center on in September 2016 and was listed as destroyed on Dec. 16, 2016.
The plaintiffs see that as a big problem for their case when going to trial.
"Essentially, Premera maintains a 'no harm, no foul' defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera's system," the motion says. "Plaintiffs dispute Premera's theory, and allege that harm was done to every member of the Class when their sensitive information was exposed to an unauthorized third party - namely, the hackers."