An attack on a network used by both the Nationwide Insurance Company and the Allied Insurance Companies has compromised the personal information of an estimated 1.1 million customers and applicants.
Nationwide has issued a statement apologizing for the breach and promised to take steps toward enhancing its security posture. According to that statement, the attack on Oct. 3 was quickly discovered but has not yet resulted in any known criminal use of the pilfered personal data. The company also said that letters had been sent to individuals whose personal information is believed to have been compromised.
The stolen data is believed to span the necessary components for identity theft, including names, Social Security numbers, driver's license numbers, date of birth and possibly marital status, gender, occupation and employment information. Medical information and credit card numbers were not believed to have been breached.
[Related: The 10 Biggest Security Stories Of 2012]
The breach was reported to law enforcement authorities who are now investigating the incident. The company intends to provide credit monitoring and identity theft protection to potential victims, in accordance with the laws of many states. Enrollment instructions are being sent to them.
According to Todd Thiemann, senior director of product marketing at Vormetric, a San Jose-based encryption vendor, the fact that Nationwide made this announcement suggests that the data might not have been encrypted.
"Most state data breach laws provide safe harbor if the stolen data was encrypted," he said. "There is an assumption that the criminals are only getting encrypted gobbledygook, in which case you don't need to report that breach. But given that they are reporting the breach, odds are that the data was not encrypted."
Thiemann says the breach should serve as a wake-up call to large enterprises, as well as the channel partners that serve them.
"Best practices include securing servers with encryption of data at rest," he said. "You also need database activity monitoring software to monitor events against threats from either within the organization or from the outside. Any good security posture for databases involves layered security that includes those two key elements."
Large companies often rely on checklists of compliance restrictions as a means of satisfying security requirements at the lowest possible cost. But, such an approach often has much higher costs when breaches actually occur.
"It's not just about maintaining compliance, it's about protecting your brand," said Thiemann. "It doesn't appear that [the insurance companies] violated any laws. But, there is a huge downside for them because they now have to pay for credit monitoring. Plus, they suffer damage to their brand as a result of this data breach."
Allied Insurance could be reached for comment.
A spokesperson from Nationwide Insurance declined comment on the security technologies that were in place during the breach.
PUBLISHED DEC. 6, 2012
