The Hartford loses three backup tapes affecting 237,000 policyholders
Technorati Tag: Security Breach
Date Reported:
10/30/07
Organization:
The Hartford Financial Services Group
Contractor/Consultant/Branch:
None
Victims:
The Hartford Financial Services Group policyholders
Number Affected:
237,000
Types of Data:
Name, address, Social Security number and driver's license number
Breach Description:
On September 27th, 2007 The Hartford discovered that three backup tapes were missing that contained sensitive personal information on roughly 237,000 of its policyholders. The tapes were from the company's personnel lines claims center and it is unclear whether the tapes were lost in transit or within the company itself.
Reference URL:
The New Hampshire Attorney General Breach Notification
PC World Story
Report Credit:
New Hampshire Attorney General
Response:
From the official breach notification letter and online article cited above:
"The Hartford Financial Services Group Inc. has notified about 237,000 policy holders of a potential compromise of their personal data."
"The warning followed the loss of three backup tapes containing the names, addresses, Social Security numbers and driver's license numbers of customers of the company's personnel lines claims center. The tapes were discovered to be missing on Sept. 27."
"On September 27th, 2007 we determined that three back up data tapes appear to have been misplaced. We have no evidence that the tapes have been stolen or that the information has been accessed or used for improper purposes."
"Hartford Financial Services has no idea if the tapes were misplaced while in transit to another location or if they went missing inside the company."
"It is also very unlikely that the information will be accessed in the future."
[Comfyllama] This is a leap of an assumption.
"the information contained on them could only be read with "the use of sophisticated and expensive equipment," she added."
[Comfyllama] I have begun to hear this minimization statement more and more in response to lost tape breaches. The potential value in the information would certainly justify the expense to a criminal, and how sophisticated and expensive could it really be? A tape drive and/or software could be obtained in some very creative and inexpensive ways. This statement means NOTHING to the security of the data.
"As a precaution, the company is offering a year's worth of free credit protection services from Equifax"
[Comfyllama] As a precaution? This is an after-the-fact temporary "band-aid" type solution that does not solve the problem. A precaution would have been to treat confidential data in a more secure manner.
"Security analysts have recommended that companies use encryption to mitigate potential data loss in such situations. Many companies that have been reluctant to do so because of cost concerns end up paying significantly more in notification and other costs when a breach occurs, analysts have previously noted."
[Comfyllama] This commentary was written by Jaikumar Vijayan at PC World, and I absolutely agree. It's like the old saying goes "an ounce of prevention is worth a pound of cure".
"The Hartford has also taken several steps to further ensure the privacy of individuals' information. The company is no longer shipping tapes via standard carriers, is using secure electronic data replication and transmission when appropriate, and soon will deploy encryption for the most sensitive information."
[Comfyllama] In my opinion, this is a very wise response on the part of The Hartford. It stinks that this was not done beforehand and offers little consolation to affected individuals, but will go a long way towards building consumer confidence. One product that we have used for the "secure electronic data replication" and deduplication has been Data Domain. The use of data deduplication and replication has allowed some companies to go completely tapeless.
Commentary:
This is another case of portable media (includes laptops, flash drives, backup tapes, etc.) that has gone missing that contained sensitive personal information, WITHOUT ENCRYPTION. I was very pleased to read at the end or The Hartford's statement that they intend to employ encryption in the future.
Past Breaches:
Unknown
Date Reported:10/30/07
Organization:
The Hartford Financial Services Group
Contractor/Consultant/Branch:
None
Victims:
The Hartford Financial Services Group policyholders
Number Affected:
237,000
Types of Data:
Name, address, Social Security number and driver's license number
Breach Description:
On September 27th, 2007 The Hartford discovered that three backup tapes were missing that contained sensitive personal information on roughly 237,000 of its policyholders. The tapes were from the company's personnel lines claims center and it is unclear whether the tapes were lost in transit or within the company itself.
Reference URL:
The New Hampshire Attorney General Breach Notification
PC World Story
Report Credit:
New Hampshire Attorney General
Response:
From the official breach notification letter and online article cited above:
"The Hartford Financial Services Group Inc. has notified about 237,000 policy holders of a potential compromise of their personal data."
"The warning followed the loss of three backup tapes containing the names, addresses, Social Security numbers and driver's license numbers of customers of the company's personnel lines claims center. The tapes were discovered to be missing on Sept. 27."
"On September 27th, 2007 we determined that three back up data tapes appear to have been misplaced. We have no evidence that the tapes have been stolen or that the information has been accessed or used for improper purposes."
"Hartford Financial Services has no idea if the tapes were misplaced while in transit to another location or if they went missing inside the company."
"It is also very unlikely that the information will be accessed in the future."
[Comfyllama] This is a leap of an assumption.
"the information contained on them could only be read with "the use of sophisticated and expensive equipment," she added."
[Comfyllama] I have begun to hear this minimization statement more and more in response to lost tape breaches. The potential value in the information would certainly justify the expense to a criminal, and how sophisticated and expensive could it really be? A tape drive and/or software could be obtained in some very creative and inexpensive ways. This statement means NOTHING to the security of the data.
"As a precaution, the company is offering a year's worth of free credit protection services from Equifax"
[Comfyllama] As a precaution? This is an after-the-fact temporary "band-aid" type solution that does not solve the problem. A precaution would have been to treat confidential data in a more secure manner.
"Security analysts have recommended that companies use encryption to mitigate potential data loss in such situations. Many companies that have been reluctant to do so because of cost concerns end up paying significantly more in notification and other costs when a breach occurs, analysts have previously noted."
[Comfyllama] This commentary was written by Jaikumar Vijayan at PC World, and I absolutely agree. It's like the old saying goes "an ounce of prevention is worth a pound of cure".
"The Hartford has also taken several steps to further ensure the privacy of individuals' information. The company is no longer shipping tapes via standard carriers, is using secure electronic data replication and transmission when appropriate, and soon will deploy encryption for the most sensitive information."
[Comfyllama] In my opinion, this is a very wise response on the part of The Hartford. It stinks that this was not done beforehand and offers little consolation to affected individuals, but will go a long way towards building consumer confidence. One product that we have used for the "secure electronic data replication" and deduplication has been Data Domain. The use of data deduplication and replication has allowed some companies to go completely tapeless.
Commentary:
This is another case of portable media (includes laptops, flash drives, backup tapes, etc.) that has gone missing that contained sensitive personal information, WITHOUT ENCRYPTION. I was very pleased to read at the end or The Hartford's statement that they intend to employ encryption in the future.
Past Breaches:
Unknown
Posts Atom 1.0
This is the breach that I blogged about and emailed you about a week or so ago. I spoke to the customer service line and was told that the data on the tape was encrypted. However the person on the other end obviously had no idea what they were talking about and I don't really believe their story - otherwise why would they START to encrypt the data in the future....also just HOW long in the future is that going to be - is the data being encrypted NOW?
Reply to this