US health insurer Anthem has agreed to pay what would be the largest data breach settlement in history over a 2015 cyber attack that led to the theft of the personal information of nearly 78.9 million customers.
Anthem has negotiated a US$115 million ($151.6 million) settlement with the plaintiffs in a class action lawsuit following two years of litigation.
If the settlement is approved by the court, Anthem will establish a US$115 million settlement fund which will be used to provide victims with at least two years of credit monitoring and cover out-of-pocket expenses incurred by customers as a result of the breach. Customers already enrolled in a credit monitoring service would receive cash compensation.
Anthem would also agree to increase its information security spending and implement numerous changes to its data security systems, including ensuring key information is encrypted and archived with strict access controls.
Anthem disclosed in February 2015 that hackers had broken into its servers and potentially stolen information including names, dates of birth, social security numbers, street and email addresses as well as employment information. The sensitive information was unencrypted.
Following the disclosure more than 100 lawsuits were filed against the company nationwide, which were later consolidated into the class action lawsuit.
A US court will hold a hearing to consider the settlement agreement on 17 August.
In related news, a new report from the US Federal Bureau of Investigation’s Internet Complaint Center (IC3) has found that reported losses from internet crime grew to $1.33 billion in 2016, with the number of complaints growing to nearly 299,000.
But the report also notes that the US Attorney General’s Office estimates that only around 15% of the nation’s fraud victims report their crimes to law enforcement.
In 2016, the most common crimes reported by victims were non-payment and non-delivery, personal data breach and payment scams, the report notes. The top three crime types by reported losses, though, were compromised business emails — or CEO fraud — romance and confidence frauds and then non-payment and non-delivery scams.
Although it is growing rapidly as an attack vector, ransomware only led to a meagre $2.5 million in losses for the year, while malware and scareware generated $3.9 million for attackers.
Image credit: ©stock.adobe.com/au/stokkete