dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
12

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to daveinpoway

Premium Member

to daveinpoway

Re: Personal info of 1m compromised in Nationwide breach


Screen 1
 

Screen 2

Screen 3
 

Screen 4
Trending Now: Inexcusable Data Breaches

Nationwide Insurance’s IT Security Professionals must talk a good story because they are not qualified for their positions.
Finding employment elsewhere shouldn’t be much of a problem for them considering how many companies are re-staffing because of recent data breaches.

Maybe that’s the problem?
Companies are hiring from the same pool of recently fired IT Pro’s
/sarcasm

The PII that was breached had to have been juicy coming from an insurance company.
They are the kings of harvesting/purchasing & storing invasive personal information

I went through the steps of receiving an online quote from Nationwide Insurance to see what the “public data” would reasonably include.

Screen 1 Your Information
First Name:
Last Name:
Email:
Phone:
Address:
City:
State:
ZipCode:

Screen 2 Vehicle Info
Vehicle Year:
Make:
Model:
VIN (optional)

Estimated yearly mileage:
Hybrid? Y/N
Accident within 6yrs Y/N
Address where vehicle is kept:
Primary Use:

Screen 3 Driver Info
First Name:
Last Name:
Date of Birth:
Current License Number:
Current License State:
Age First Licensed:
State First Licensed:

Screen 4 Driver Discounts:
General data mining questions see image 4

Toss in the info from the linked article:
"So far, various officials have confirmed with media outlets that about 30,000 people in Georgia were affected, as well as more than 12,000 in South Carolina. The California Department of Insurance announced Wednesday in a release that approximately 5,050 residents of the Golden State were impacted and that information, such as names, Social Security numbers and other personal identifying data, were stolen in the breach, though no credit card information was accessed.”

We can add the victims SSN to the list of other PII Nationwide Insurance handed over to ID thieves who want that data for one purpose only –

Fear not though-
" Currently, the company is notifying affected individuals by mail. They will be offered free credit monitoring and identify theft protection services for one year. A toll-free number, (800) 760-1125, was also set up to handle questions."

That has become so typical that it may start appearing as the acceptable solution when there is nothing acceptable about the situation in the first place.

Is this supposed to be the penalty or the price a company has to pay for sloppy IT security?
If I owned a credit monitoring company I’d allow Nationwide to offer the victims my service for free for a year. The amount of victims that would renew as paid clients at the year’s end would make it a wise investment.

»www.scmagazine.com/perso ··· Newswire

Nationwide's MA issuer:
»www.massdrive.com/index

norwegian
Premium Member
join:2005-02-15
Outback

1 recommendation

norwegian

Premium Member


Ah, the Internet in all it's glory.......

The problem is personal data should be kept off line from the Internet, but with companies including banks request, prefer and almost demand you use the Internet to access information because it saves on manpower.

It's just another day, in another week, in another month, where sloppy policies, cost cutting exercises and poor/shoddy workmanship reveals too much about the general public's private information.

Truly scary stuff.

Rebuilding one's personal info is not an easy task.

----------------

On the point of a free year's monitoring, sounds okay, but how many people in a year will be still using the same personally identifiable info. I can just see the sale of the personal info on the black market marked with "please open at Xmas 2013 to reap the most rewards"

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

1 recommendation

Snowy

Premium Member

An edit to add to my already too lengthy previous post.
I received an email from Nationwide's MA issuer with some follow up questions which would should be added to the info submitted online.

1. Is your car registered in MA? If so, please send the license plate number. If not please send the VIN number.
2. At what age did you first get your drivers license?
3. How long have you lived in Boston, MA?
4. Are there any other licensed drivers in the household? If so, please provide their Name & Date of Birth and/or their drivers license #.
5. Are you currently a student? If so, do you have over a 3.0 Grade Point Average (GPA)?

Question 4 is a mind blower.
I don't want to even guess at the scope of the data Nationwide handed over.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway to Snowy

Premium Member

to Snowy
An unanswered question is: Are/were the IT Security people at Nationwide incompetent, or did they know what needed to be done, but could not convince the management people to spend the money for the proper security hardware and software? There is only so much that can be done to secure the network if the funding doesn't exist.

I am a Nationwide customer (have been for years); I haven't received a letter yet, so I don't know if this affects me or not. I will call them on Monday to see what I can find out.

jack b
Gone Fishing
MVM
join:2000-09-08
Cape Cod

jack b to Snowy

MVM

to Snowy
The reason for answering number 4 is because (at least in Massachusetts) typical auto insurance policy language states that a failure to appropriate list drivers in your household may result in the company refusing to pay claims. Ignore that at your own peril.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by jack b:

The reason for answering number 4 is ...

I assumed it was about something such as that, thanks for clarifying it.
Part of the reason Question 4. jumped at me was this from this disclosure from the link
"Elizabeth Giannetti, a Nationwide spokeswoman, confirmed with SCMagazine.com on Thursday that the incident, where a "portion" of the company's computer network was breached, affects customers, as well as people that requested quotes from Nationwide.

If it turns out that people who only requested a quote without purchasing a policy say a year ago were affected Nationwide may have redefined the worst case scenario.

Imagine giving up every licensed drivers stuff in the household, I'd be toast.
Of course this is just conjecture but it's slightly informed conjecture.

btw Hawaii went the opposite way ~2yrs ago.
Insurance companies may not request information on household members but it is good to have them listed if they drive the auto being insured
dave
Premium Member
join:2000-05-04
not in ohio

dave to Snowy

Premium Member

to Snowy
said by Snowy:

Currently, the company is notifying affected individuals by mail. They will be offered free credit monitoring and identify theft protection services for one year.

I'm looking forward to the extension of this solution to homeowner's insurance.

"We're sorry someone took an axe to your front door and gained entry to your house, insured by us. We'll loan you a web cam for a year."

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to Snowy

Premium Member

to Snowy
I knew several highly regarded IT security people who worked for Nationwide, but they all left for greener pastures.