[BreachExchange] Destroyed Computer Hampers Lawsuit in Premera Breach

Tue Sep 4 23:29:47 EDT 2018

https://www.bankinfosecurity.com/destroyed-computer-hampers-lawsuit-in-premera-breach-a-11453

Plaintiffs in a class action suit against Premera Blue Cross allege
the company destroyed a computer that may be key to proving sensitive
data ended up in hackers' hands after a 2014 intrusion.

The allegation is contained in a motion filed Aug. 30 in the lawsuit,
which is being considered in U.S. District Court in Portland. The
motion also alleges Premera failed to preserve data loss prevention
logs that may have indicated exfiltration.

The motion is asking a federal judge to instruct the jury at trial to
assume that data exfiltration occurred. It also seeks to prevent any
experts from testifying that no data exfiltration occurred.

Efforts to reach Premera officials weren't immediately successful. But
a spokesman tells ZDNet the company disagrees with the motion and that
it does "not believe the facts justify the relief plaintiffs have
requested." The company plans to file a response, the spokesman says.

Missing: A23567-D

Premera Blue Cross announced in March 2015 that a cybersecurity
incident had potentially exposed personal data for 11 million people,
including Social Security numbers, bank account information, claims
and clinical information (see Another Massive Health Data Hack).

FireEye's Mandiant incident response unit, which discovered the
intrusion in January 2015, determined the attack took place in May
2014, meaning attackers may have had access for as long as eight
months.

After Premera's disclosure, a bevy of class action lawsuits were
filed, which have now been consolidated into one (see 5 Breach
Lawsuits Filed Against Premera).

The data on the machine, dubbed A23567-D, is deemed by the plaintiffs
as important in proving that personal data ended up with unauthorized
parties. The motion contends that a preliminary analysis by Mandiant
showed the computer to be central in exfiltrating data.

"Any files or remnants the hackers left on A23567-D during those
contacts are now permanently lost, along with plaintiffs' chance to
show evidence of exfiltration though the logs stored on the device,"
the motion contends. "Without access to that hard drive, trying to
prove that the hackers removed Plaintiffs PII [personally identifiable
information] and PHI [protected health information] through that
computer is impossible."

A23567-D was one of 35 computers that showed sign of tampering as a
result of the intrusion, the motion says. It was a key computer, as it
belonged to a developer and had privileges for some of the company's
most important databases.

The motion says that Mandiant analysts found that it was the only one
of 35 computers to contain a type of malware called PHOTO, the motion
says. The malware could be used to upload and download files, modify
the registry and processes and execute programs.

Mandiant found that the intruders had daily contact with A23567-D
between July 2014 and January 2015. The A23567-D communicated with a
domain, www[.]presecoust[.]com, the motion says.

"The destroyed computer was perfectly positioned to be the
one-and-only staging computer hackers needed to create vast staging
files for the purpose of shipping even more data outside of Premera's
network," the motion says. "This computer functioned as the
development machine for a software programmer, and as such was
pre-loaded with a vast array of legitimate utilities that could be
turned to any purpose."

As a resultm "only A23567-D's destroyed hard drive could show what the
hackers left behind during those contacts," the motion says.

Where's Computer #35?

Last November, lawyers for the plaintiffs asked for the forensic
images of the 35 computers. However, Premera could only provide images
for 34, saying the 35th had been destroyed, the motion says.

The motion alleges that Premera "willfully" destroyed A23567-D.
According to Premera's discovery filings as quoted in the motion,
however, its destruction appears to have been a mistake.

While Mandiant sequestered the other 34 computers, A23567-D was
"unintentionally filed as end of life," Premera contended. It remained
unused and offline for a year within Premera's Client Technology
Services.

Eventually, it was sent to Premera's personal computer distribution
center on in September 2016 and was listed as destroyed on Dec. 16,
2016.

The plaintiffs see that as a big problem for their case when going to trial.

"Essentially, Premera maintains a 'no harm, no foul' defense,
contending there can be no damage to any plaintiff unless he or she
can prove confidential information was exfiltrated from Premera's
system," the motion says. "Plaintiffs dispute Premera's theory, and
allege that harm was done to every member of the Class when their
sensitive information was exposed to an unauthorized third party -
namely, the hackers."