Another Reason for Detailed Access Logs

Another poorly written application, another data leak. Not new, barely news.

This statement is interesting though:
“[company spokesperson] said it's unclear how many customers' information was viewed, but that letters were sent to 230,000 Californians out of an "abundance of caution.”
Had there been sufficient logging built into the application, Anthem Blue Cross would have known the extent of the breach and (perhaps) could have avoided sending out all 230,000 breach notifications. That’s a view on logging that I’ve expressed to my co-workers many times. Logs can verify what didn’t happen as well as what did happen, and sometimes that’s exactly what you need.

There are a couple of other interesting things in the story:
“the confidential information was briefly accessed, primarily by attorneys seeking information for a class action lawsuit against the insurer.”
That’ll probably cost Anthem a bundle. Letting lawsuit-happy attorneys discover your incompetence isn’t going to be the cheapest way to detect bad applications.

And:
“a third party vendor validated that all security measures were in place, when in fact they were not.”
Perhaps the third party vendor isn’t competent either?