dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
15
share rss forum feed


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

reply to daveinpoway

Re: Personal info of 1m compromised in Nationwide breach

Hackers attempt to penetrate computers, often to steal stored data. They always have, and they always will.

To me, who's otherwise not directly involved, the key relevant information (not yet released) is whether the breached records were 'properly' encrypted, as sound fiduciary responsibility would demand; or if not, then why not? If it turns out they were unencrypted, this becomes yet another sorry example of sloppy, irresponsible corporate handling of "other people's data". If they were encrypted, then was the ability to decrypt them somehow also penetrated; and if so, then how? Otherwise, no real harm to customer data or privacy would have been done if the records are simply encrypted digital trash.

Because of Nationwide's offer to victims of free identity protection, one would strongly suspect the best description of the situation is: the records most likely were unencrypted. In which case Nationwide, a risks insurer, could arguably be described as a risks-creator. For a risks insurer, that smacks of corporate arrogance of the highest order.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by Blackbird:

Because of Nationwide's offer to victims of free identity protection, one would strongly suspect the best description of the situation is: the records most likely were unencrypted.

Nationwide has put up a web page outlining the incident that strongly suggests the data was unencrypted.

” Although we are still investigating the incident, our initial analysis has indicated that the compromised information included certain individuals’ name and Social Security number, driver’s license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack."
»www.nationwide.com/notice.jsp

I can draw a few damning assumptions re Nationwide’s respect for other peoples stuff they promised to securely maintain by that statement.

1. The stolen data was plain text.
Reason: Any database that included CC data would have been encrypted by PCII standards as would medical records which would have been encrypted by HIPAA standards.
Conclusion: Nationwide in their handling of the PII was compliant with current regulations but only to the point of what was minimally required of them.

2. Nationwide maintained a database of PII that excluded the 2 items that would require encryption of the database.
Reason: To facilitate ease of access to its agents & hackers.
Conclusion:There’s a major difference in being compliant to the letter of the law & acting within the spirit of the law.
Nationwide Insurance failed at the latter.
Current requirements need to be revisited to better reflect the reality of major players in the PII industry knowingly choosing irresponsible management of other peoples PII.
It shouldn't be believed for a second that management was not aware of the potential downside before ignoring it.

ps This isn't a Nationwide bash - this is an industry issue that the industry will only fix when required by law to do so -

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
Depends how they stole it, I supposed. If they got the database files, sure - encryption would protect it. But if they cracked someone's account and then executed a "legitimate" database listing program, it might obligingly list the plaintext data. Encryption's all very well as long as you don't have the level of access where it gets decrypted for use.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by dave:

Depends how they stole it, I supposed. If they got the database files, sure - encryption would protect it. But if they cracked someone's account and then executed a "legitimate" database listing program, it might obligingly list the plaintext data.

Judging by the timeline of illegal access to discovery (less than 1 day) the hacker wouldn't have had time to have converted up to a million records to plain text but instead just moved a plain text database offsite.