BreachExchange mailing list archives
Re: Sentry Insurance Says Customer Data Stolen
From: George Toft <george () myitaz com>
Date: Sun, 30 Jul 2006 11:15:18 -0700
At this point, I would like to point out that Wisconsin has a weak Identity Theft protection/reporting law (might not even be law yet). Per Consumers Union (www.consumersunion.org/campaigns/Breach_laws_May05.pdf), Wisconsin has a bill SB164: "The entity need only provide notice if it knows that personal information has been acquired by an unauthorized person. And there is a material risk of identity theft or fraud." Well, the risk has been realized. And we have an insurance company [bound to comply with the Gramm-Leach-Bliley Act and SOX 404, so they should have had adequate security measures in place to prevent this incident - separation of duty (legal requirement) and not using live data in development (best practice)] who chooses not to report the breach until 72 people's information is sold over the Internet. They chose to keep it quiet and not tell anyone because there was no requirement to notify anyone of the breach. Reading between the lines in the article, it looks like the Secret Service was on top of the event before Sentry Insurance. I wonder how soon the class-action lawsuit will be filed. As this incident demonstrates, failure to disclose data loss events leads to identity theft. Disclosure seems to have a positive [short-term] effect on preventing ID Theft. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. lyger wrote:
Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.mercurynews.com/mld/mercurynews/business/technology/15153907.htm Personal information on 72 worker's compensation claimants was stolen from Sentry Insurance and later sold over the Internet, the company said. The data sold included names and Social Security numbers but not medical records, Sentry said. Data on an additional 112,198 claimants was also stolen but there is no evidence it was sold, the company said. Sentry said it notified everyone affected and was providing credit monitoring services to help prevent fraud. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Sentry Insurance Says Customer Data Stolen lyger (Jul 29)
- Re: Sentry Insurance Says Customer Data Stolen George Toft (Jul 30)