Security → Personal info of 1m compromised in Nationwide breach

"The FBI is investigating a breach at Nationwide Insurance, where hackers recently accessed the sensitive information of about one million people, including policy and non-policy holders.

Elizabeth Giannetti, a Nationwide spokeswoman, confirmed with SCMagazine.com on Thursday that the incident, where a "portion" of the company's computer network was breached, affects customers, as well as people that requested quotes from Nationwide. Victims span all 50 states.":

»www.scmagazine.com/perso ··· Newswire

Trending Now: Inexcusable Data Breaches

Nationwide Insurance’s IT Security Professionals must talk a good story because they are not qualified for their positions.
Finding employment elsewhere shouldn’t be much of a problem for them considering how many companies are re-staffing because of recent data breaches.

Maybe that’s the problem?
Companies are hiring from the same pool of recently fired IT Pro’s
/sarcasm

The PII that was breached had to have been juicy coming from an insurance company.
They are the kings of harvesting/purchasing & storing invasive personal information

I went through the steps of receiving an online quote from Nationwide Insurance to see what the “public data” would reasonably include.

Screen 1 Your Information
First Name:
Last Name:
Email:
Phone:
Address:
City:
State:
ZipCode:

Screen 2 Vehicle Info
Vehicle Year:
Make:
Model:
VIN (optional)

Estimated yearly mileage:
Hybrid? Y/N
Accident within 6yrs Y/N
Address where vehicle is kept:
Primary Use:

Screen 3 Driver Info
First Name:
Last Name:
Date of Birth:
Current License Number:
Current License State:
Age First Licensed:
State First Licensed:

Screen 4 Driver Discounts:
General data mining questions see image 4

Toss in the info from the linked article:
"So far, various officials have confirmed with media outlets that about 30,000 people in Georgia were affected, as well as more than 12,000 in South Carolina. The California Department of Insurance announced Wednesday in a release that approximately 5,050 residents of the Golden State were impacted and that information, such as names, Social Security numbers and other personal identifying data, were stolen in the breach, though no credit card information was accessed.”

We can add the victims SSN to the list of other PII Nationwide Insurance handed over to ID thieves who want that data for one purpose only –

Fear not though-
" Currently, the company is notifying affected individuals by mail. They will be offered free credit monitoring and identify theft protection services for one year. A toll-free number, (800) 760-1125, was also set up to handle questions."

That has become so typical that it may start appearing as the acceptable solution when there is nothing acceptable about the situation in the first place.

Is this supposed to be the penalty or the price a company has to pay for sloppy IT security?
If I owned a credit monitoring company I’d allow Nationwide to offer the victims my service for free for a year. The amount of victims that would renew as paid clients at the year’s end would make it a wise investment.

»www.scmagazine.com/perso ··· Newswire

Nationwide's MA issuer:
»www.massdrive.com/index

Ah, the Internet in all it's glory.......

The problem is personal data should be kept off line from the Internet, but with companies including banks request, prefer and almost demand you use the Internet to access information because it saves on manpower.

It's just another day, in another week, in another month, where sloppy policies, cost cutting exercises and poor/shoddy workmanship reveals too much about the general public's private information.

Truly scary stuff.

Rebuilding one's personal info is not an easy task.

----------------

On the point of a free year's monitoring, sounds okay, but how many people in a year will be still using the same personally identifiable info. I can just see the sale of the personal info on the black market marked with "please open at Xmas 2013 to reap the most rewards"
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

An edit to add to my already too lengthy previous post.
I received an email from Nationwide's MA issuer with some follow up questions which would should be added to the info submitted online.

1. Is your car registered in MA? If so, please send the license plate number. If not please send the VIN number.
2. At what age did you first get your drivers license?
3. How long have you lived in Boston, MA?
4. Are there any other licensed drivers in the household? If so, please provide their Name & Date of Birth and/or their drivers license #.
5. Are you currently a student? If so, do you have over a 3.0 Grade Point Average (GPA)?

Question 4 is a mind blower.
I don't want to even guess at the scope of the data Nationwide handed over.

An unanswered question is: Are/were the IT Security people at Nationwide incompetent, or did they know what needed to be done, but could not convince the management people to spend the money for the proper security hardware and software? There is only so much that can be done to secure the network if the funding doesn't exist.

I am a Nationwide customer (have been for years); I haven't received a letter yet, so I don't know if this affects me or not. I will call them on Monday to see what I can find out.

The reason for answering number 4 is because (at least in Massachusetts) typical auto insurance policy language states that a failure to appropriate list drivers in your household may result in the company refusing to pay claims. Ignore that at your own peril.
--
~Help Find a Cure for Cancer~
~Proud Member of Team Discovery ~

I assumed it was about something such as that, thanks for clarifying it.
Part of the reason Question 4. jumped at me was this from this disclosure from the link
"Elizabeth Giannetti, a Nationwide spokeswoman, confirmed with SCMagazine.com on Thursday that the incident, where a "portion" of the company's computer network was breached, affects customers, as well as people that requested quotes from Nationwide.

If it turns out that people who only requested a quote without purchasing a policy say a year ago were affected Nationwide may have redefined the worst case scenario.

Imagine giving up every licensed drivers stuff in the household, I'd be toast.
Of course this is just conjecture but it's slightly informed conjecture.

btw Hawaii went the opposite way ~2yrs ago.
Insurance companies may not request information on household members but it is good to have them listed if they drive the auto being insured

I'm looking forward to the extension of this solution to homeowner's insurance.

"We're sorry someone took an axe to your front door and gained entry to your house, insured by us. We'll loan you a web cam for a year."

Hackers attempt to penetrate computers, often to steal stored data. They always have, and they always will.

To me, who's otherwise not directly involved, the key relevant information (not yet released) is whether the breached records were 'properly' encrypted, as sound fiduciary responsibility would demand; or if not, then why not? If it turns out they were unencrypted, this becomes yet another sorry example of sloppy, irresponsible corporate handling of "other people's data". If they were encrypted, then was the ability to decrypt them somehow also penetrated; and if so, then how? Otherwise, no real harm to customer data or privacy would have been done if the records are simply encrypted digital trash.

Because of Nationwide's offer to victims of free identity protection, one would strongly suspect the best description of the situation is: the records most likely were unencrypted. In which case Nationwide, a risks insurer, could arguably be described as a risks-creator. For a risks insurer, that smacks of corporate arrogance of the highest order.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Gives a whole new meaning to "Nationwide is on your side."

Grrrrrr.

Nationwide has put up a web page outlining the incident that strongly suggests the data was unencrypted.

” Although we are still investigating the incident, our initial analysis has indicated that the compromised information included certain individuals’ name and Social Security number, driver’s license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack."
»www.nationwide.com/notice.jsp

I can draw a few damning assumptions re Nationwide’s respect for other peoples stuff they promised to securely maintain by that statement.

1. The stolen data was plain text.
Reason: Any database that included CC data would have been encrypted by PCII standards as would medical records which would have been encrypted by HIPAA standards.
Conclusion: Nationwide in their handling of the PII was compliant with current regulations but only to the point of what was minimally required of them.

2. Nationwide maintained a database of PII that excluded the 2 items that would require encryption of the database.
Reason: To facilitate ease of access to its agents & hackers.
Conclusion:There’s a major difference in being compliant to the letter of the law & acting within the spirit of the law.
Nationwide Insurance failed at the latter.
Current requirements need to be revisited to better reflect the reality of major players in the PII industry knowingly choosing irresponsible management of other peoples PII.
It shouldn't be believed for a second that management was not aware of the potential downside before ignoring it.

ps This isn't a Nationwide bash - this is an industry issue that the industry will only fix when required by law to do so -

Depends how they stole it, I supposed. If they got the database files, sure - encryption would protect it. But if they cracked someone's account and then executed a "legitimate" database listing program, it might obligingly list the plaintext data. Encryption's all very well as long as you don't have the level of access where it gets decrypted for use.

I knew several highly regarded IT security people who worked for Nationwide, but they all left for greener pastures.
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.

Judging by the timeline of illegal access to discovery (less than 1 day) the hacker wouldn't have had time to have converted up to a million records to plain text but instead just moved a plain text database offsite.