“Dear Customer:
One of our email service providers, Epsilon, has informed us that we are among a group of companies affected by a data breach that may have exposed your email address to unauthorized third parties. It's important to know that this incident did not involve other account or personally identifiable information.”
That's an e-mail we all love to receive, and I've received several of these notices over the past few days from various prominent companies I've done business with.
The extent of the breach within the insurance industry is not known at this point, as
Companies may be doing a great job of locking down their data to prevent external and internal leaks, but the Achilles’ heel in all this is the unknown vulnerabilities of business partners or vendors. We operate businesses mean and lean, contracting out a lot of non-core (and often core) functions to partners, third parties and cloud providers.
There is an accounting standard, shorthanded as “
In fact, a review of insurance industry security incidents at the
• April 6, 2011: “People who logged into [a major Northeast insurance company's] server between February 22 and February 28 are being notified of a possible breach. The firm's Windows servers were hacked and employee, contractor and some customer information may have been exposed by the breach. Social Security numbers, user account logins and passwords, bank account numbers and credit card numbers may have been exposed.”
• March 9, 2011: “In late January or early February, [a major Northeast carrier] sent notification that a dishonest employee is likely to have accessed and disclosed customer information. Names, Social Security numbers, addresses, dates of birth and bank account information may have been exposed. [The company] was unable to determine which customers were affected.”
• January 25, 2011: “Thousands of papers with names, addresses, Social Security numbers, birth dates and account balances were thrown in a dumpster. The breach appears to be the result of an insurance office moving from one location to another. A man searching for metal in dumpsters made the discovery. Most of the files belonged to one insurance agent.”
Actually, an incident cited at a major financial services company last October 12 indicated that the company was doing the right thing—sensitive data was encrypted before it left the production site:
“An isolated administration error caused an encrypted file with the personnel information of one client's employees to be made available to the HR department of another client. A password-based registration system was already in place to prevent the wrong addressee from opening encrypted email, however, the email was addressed to the wrong client.”
Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.
Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on