The plaintiffs of a class-action lawsuit against health insurance provider Premera Blue Cross are accusing the organization of "willfully destroying" evidence that was crucial for establishing accurate details in a security breach incident.
In court documents filed last week obtained by ZDNet, plaintiffs claim that Premera intentionally destroyed a computer that was in a key position to reveal more details about the breach, but also software logs from a security product that may have shown evidence of data exfiltration.
Establishing if hackers stole data from Premera's systems is crucial for the legal case. Breach victims part of the class-action will be to claim a right for monetary compensation, while Premera may argue that since hackers did not steal data from its servers, there is no tangible harm to victims.
The class-action lawsuit is in connection to a March 2015 announcement. Back then, Premera announced that hackers breached its systems and gained access to computers holding the personal and medical data of over 11 million Americans.
Several lawsuits were set in motion in 2015, later followed by a class-action filing. Angry Premera customers cited negligence on Premera's part. The plaintiffs claimed that the Office of Personnel Management (OPM) "found numerous security flaws during a routine audit of Premera's systems, which it reported to Premera a few weeks before the breach."
The OPM warning came in April 2014. A month later a Premera employee fell victim to a phishing email, which led to hackers planting malware on the organization's network.
Premera took months to heed the OPM's warning, hiring cyber-security firm Mandiant in October 2014. The cyber-security firm discovered the breach a few months later, in January 2015.
"Mandiant's investigation determined that a known hacking group (that had targeted and extracted data from similar entities) was responsible for the breach, and discovered fragments of RAR files, which are created by compression software commonly used by hackers to shrink files to a manageable size before exfiltration," court documents filed on August 3, 2018 reveal.
Part of their litigation, the plaintiffs requested access to evidence regarding the 2015 security breach, including Mandiant reports, and the hard drives and forensic images of the 35 Premera computers that Mandiant identified as infected.
But in new documents filed last week, plaintiffs say that "Premera responded that it could only produce images for 34 of those 35 computers; the 35th computer had been destroyed."
"The 35th computer, called [REDACTED], was a 'developer' computer--loaded with robust software and afforded security clearance to Premera's most sensitive databases," court documents say.
"Mandiant found that [REDACTED] contained a unique piece of hacker-created malware that Mandiant called PHOTO. Mandiant found PHOTO only on [REDACTED]. PHOTO malware had the capability to upload and download files, and to exfiltrate data. Hackers accessed PHOTO on [REDACTED] between May 12, 2014 and February 2015.
"The hackers configured PHOTO on [REDACTED] to communicate with an outside website named 'www[.]presecoust[.]com.' Mandiant's analysis of proxy logs found hundreds of thousands of almost daily contacts between [REDACTED], the only Premera computer containing PHOTO, and www.presecoust.com between July 23, 2014 and January 9, 2015. Only [REDACTED]'s destroyed hard drive could show what the hackers left behind during those contacts."
The suspicion is that these hard drives contained RAR files used for data exfiltration, along with other evidence.
According to a response the plaintiffs' legal team received from Premera, 34 of the 35 computers Mandiant marked as infected were sent to sequestration, but [REDACTED] was categorized as an End-of-Life asset, and Premera's IT team had it destroyed on December 16, 2016.
"The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera's network," the plaintiffs argue. "This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose."
"While Mandiant had a chance to analyze its contents and draw conclusions from that data, Plaintiffs will not be able to do so, and have been deprived of the ability to review and rebut Mandiant's conclusions based on that data."
Plaintiffs have an interest in rebutting Mandiant's analysis because they say several Mandiant reports had conflicting conclusions --with February and March 2015 reports suggesting that hackers exfiltrated data, while a June 2015 report denied the claims of previous reports, saying no evidence of data exfiltration was found.
But that's not all. Further, the plaintiffs also argue that Premera did not take steps to secure crucial logs created by a data loss prevention (DLP) software called Bluecoat.
"Premera destroyed both of these pieces of evidence after the filing of this lawsuit," plaintiffs said.
The plaintiffs' legal team is now asking the judge overseeing the case to instruct the jury "to presume that exfiltration occurred," and to deny Premera the chance to bring in any security expert to testify that no data exfiltration took place.
If the judge rules favorably on this motion, Premera will not be able to claim that plaintiffs didn't suffer damages because hackers never actually stole anything from its servers. But a favorable ruling won't be enough for plaintiffs to win their case, either, as they'll still need to prove that customers suffered direct damages because of the 2015 breach. In the last few years, breached companies have won most of these cases because victims found it very hard, or near impossible, to link financial losses from identity theft or identity fraud to a specific breach, in particular. It certainly doesn't help that customers have had their personal data leak online left and right, for the past decade.
Answering a request for comment from ZDNet sent earlier today, Premera Blue Cross VP Corporate Communications Steve Kipp provided the following statement:
"We are aware of the motion for sanctions that was recently filed by the plaintiffs in the class action arising from the 2015 cyberattack at Premera. It is the type of motion that is not uncommon in complex litigation involving voluminous physical and documentary evidence, and represents just one of many disputes that can arise during the discovery phase of a lawsuit. We disagree with the motion and do not believe the facts justify the relief plaintiffs have requested. Our attorneys will be filing a response in due course."
This is not the first time an organization is accused of destroying crucial evidence in a legal case. The Associated Press found last year that Georgia election officials quietly wiped clean a computer server that could have revealed whether Georgia's recent elections were compromised by hackers.
Article updated post-publication with Premera's statement. Codename of crucial computer also redacted out of document, also at Premera's request.