Another one bites the dust.

News came out last week that a security breach affected at least one million customers of Nationwide Insurance.

This actually took place on October 3, 2012 according to a statement on Nationwide’s website.

Their statement says: “Although we are still investigating the incident, our initial analysis has indicated that the compromised information included certain individuals’ name and Social Security number, driver’s license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack.”

At this point there is no indication whether the data itself was encrypted or not, however, I would have to assume it was not, otherwise I am sure they would be touting it.

How many times do we have to endure this kind of lax security behavior from the companies that we entrust our confidential information to. I have written in the past about the very same thing (see How much do you really know about your internal computer security) (see LinkedIn security breach). Looks like it is the same story time and again.

The top brass of large companies are rarely in the loop about their own internal security processes. I have spoken to a few of them and almost all are convinced that just because their firewalls are in place, everything is protected. Very few people are taking a proactive look at how their data is secured and whether it is encrypted or not at all points. This air of invulnerably is very dangerous because this means they are not actively protecting customer data and as a result these types of incidences will continue to occur.

Let’s think about some of the pieces of data a typical insurance company will have on its clients:

  • Name
  • Address
  • Phone (home, work, cell)
  • Social Security number
  • Bank Account info
  • Date of Birth
  • Employment Details
  • Salary Information
  • Net Worth details
  • Medical conditions
  • Credit Card details

This is just a short list. This much information in the wrong hands would result in more than just typical identity theft.

Instead of taking things seriously, many companies often count on the standard response “one year free credit-monitoring and identity theft protection”. Unless there are SEVERE penalties levied on companies who disregard their fiduciary responsibilities, this will continue to happen. Existing regulations are not enough. There are plenty of loopholes in the HIPAA regulations that most of these companies will get just a slap on their hands.

The state insurance commissioners, bank regulators, FTC as well as SEC (most insurance companies also have investment divisions) need to get involved in this and demand that financial institutions get off their butts and secure their customers data immediately.

In the meantime, let’s hope these companies have a good cyber liability insurance policy.

Do you feel confident about this? Are you callling up your financial institution and demanding that they RESPECT your data? What are your experiences? I would love to hear from you.