It appears Anthem Inc may have made a poor decision.
Recall that Anthem, the health insurer, got hacked a few days ago, giving up Social Security numbers and other personal data for 80 million customers to those hackers. It turns out that Anthem had deliberately chosen not to encrypt those data. At all.
Scrambling the data, which included addresses and phone numbers, could have made it less valuable to hackers or harder to access in bulk. It also would have made it harder for Anthem employees to track health care trends or share data with states and health providers[.]
Apparently, the company considered convenience more important than the sanctity of the personal data which those 80 million victims had entrusted to Anthem.
Naturally, Kristin Binns, Anthem’s Vice President of Public Relations, as cited by The Wall Street Journal, is excusing the failure:
Anthem encrypts personal data when it moves in or out of its database but not when it is stored, which is common in the industry.
Everybody does it, therefor it’s OK. No, Madam, everybody doing it just makes the failure widespread.
She added
We use other measures, including elevated user credentials, to limit access to the data when it is residing in a database[.]
Plainly inadequate measures. Your IT department could have told you that. If they did not, that omission would seem grounds for their termination. If they did, and senior Anthem management chose to ignore them, that would seem grounds for termination of senior management.