said by Blackbird:
Because of Nationwide's offer to victims of free identity protection, one would strongly suspect the best description of the situation is: the records most likely were unencrypted.
Nationwide has put up a web page outlining the incident that strongly suggests the data was unencrypted. Although we are still investigating the incident, our initial analysis has indicated that the compromised information included certain individuals name and Social Security number, drivers license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack."
I can draw a few damning assumptions re Nationwides respect for other peoples stuff they promised to securely maintain by that statement.1.
The stolen data was plain text. Reason:
Any database that included CC data would have been encrypted by PCII standards as would medical records which would have been encrypted by HIPAA standards.Conclusion:
Nationwide in their handling of the PII was compliant with current regulations but only to the point of what was minimally required of them.2.
Nationwide maintained a database of PII that excluded the 2 items that would require encryption of the database.Reason:
To facilitate ease of access to its agents & hackers.Conclusion:
Theres a major difference in being compliant to the letter of the law & acting within the spirit of the law.
Nationwide Insurance failed at the latter.
Current requirements need to be revisited to better reflect the reality of major players in the PII industry knowingly choosing irresponsible management of other peoples PII.
It shouldn't be believed for a second that management was not aware of the potential downside before ignoring it.
ps This isn't a Nationwide bash - this is an industry issue that the industry will only fix when required by law to do so -