Desktop computer stolen from Administrative Systems, Inc.

Technorati Tag:

Date Reported:
2/8/08

Organization:
Administrative Systems, Inc. (ASI)*

*ASI is a licensed third party administrator that provides certain administrative services on behalf of its clients, which include insurance companies and other financial services companies. These services often include processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions.

Contractor/Consultant/Branch:
None

Victims:
Customers of various ASI partner companies**

** Lists of companies in " Strategic Partnerships"  and forms.

Number Affected:
Unknown

Types of Data:
Name, dates of birth, mailing addresses, and Social Security numbers

Breach Description:
On December 29th, 2008, a desktop computer was stolen from the Seattle offices of Administrative Systems, Inc. ("ASI") that contained a database of sensitive personal information belonging to customers of the company's clients.

Reference URL:
Administrative Systems, Inc. official notice to victims
PogoWasRight.org Story

Report Credit:
Administrative Systems, Inc., with a special thanks to PogoWasRight.org

Response:
From the online sources cited above:

A desktop computer stolen from an Administrative Systems, Inc. (ASI) office in Seattle on December 29th contained names and sensitive information about customers or employees of several of the firm's clients: Continental American Medical, EyeMed Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental.

ASI is a licensed third party administrator that provides certain administrative services on behalf of its clients, which include insurance companies and other financial services companies. These services often include processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions.
[Evan] Sheesh, this is some very sensitive information.  There is no mention in the notification or the Administrative Systems, Inc. web site about what is done to protect this information.

personal information about customers including name, date of birth, mailing address, social security number (“sensitive information”). The information did not include credit card information or driver’s license numbers.

We are writing to notify you of this incident and to assure you that we take this matter seriously and are taking steps designed to minimize the likelihood of such an event occurring in the future.
[Evan] What specifically is being done?

We have tightened our security measures to provide greater protection for the information we maintain and are working closely with local authorities to minimize future risks.
[Evan] Again, no specifics.

The Seattle Police Department is investigating this incident and ASI is cooperating fully with this investigation.

We suggest that you remain vigilant over the next twelve to twenty-four months by reviewing your financial account statements and monitoring your credit reports to minimize your potential risk of identity theft or fraud.
[Evan] The onus is on the data custodian to protect the information according to what is expected by the data owner.  The victims can remain vigilant, but what if data custodians are not?  Take your business elsewhere?

ASI sincerely regrets any inconvenience this incident may cause you. We know our clients value your trust and confidence and we remain committed to ensuring the security of your personal information. If you have questions for ASI regarding this incident, please call toll free 1-. We will be available Monday through Friday from 8 am to 8 pm Eastern time.

In its notification letter, ASI did not indicate whether the data were encrypted nor why it took over a month for individuals to be notified of the theft


Commentary:
This is a very unfortunate breach.  I assume that many of the victims do not even know who ASI is or how they came into the possession of their information.  If I received one of the notifications from ASI, I would have more questions than answers and I would be frustrated.  As customers of companies, we provide certain personal information.  We trust that the companies we do business with will see to it that our information is adequately protected.  In this instance, information was passed on to a third-party and that third-party did not do what they should have done to protect personal information.

There is no mention of any existing controls or what controls ASI plans to evaluate to further strengthen their information security and reduce risk.  Victims and customers are left in the dark.  One can only assume what type of physical controls were in place to protect against the physical theft or what technological controls were in place to protect against compromised confidentiality.  Your guess is as good as mine.

Past Breaches:
Unknown


 
Trackbacks
  • No trackbacks exist for this post.
Comments
Page: 1 of 1
  • 2/13/2008 12:02 PM Cathy wrote:
    I received one of these letters. I found this site searching for information on tnis, as I thought is was some kind of scam at first. To my knowledge I have never had any dealings with the "clients" they list, and specifically the one that they referenced in my case. I am one of those people that are wondering why they have my information in the first place, unless they are selling it to their "clients". This is to say the least very frustrating
    Reply to this
    1. 2/13/2008 1:46 PM Evan Francen wrote:
      Cathy, I can empathize with you.  I am sure that there is much more to this story than what has been released to the public.  Have you tried calling the toll-free number that they provided (1-) and asked them for clarification?  I am almost certain that they know how they came into the possession of your information.  You are the owner of this information and as such have the right to know.

      Reply to this
      1. 2/13/2008 7:17 PM Cathy wrote:
        Hi Evan- I did call the toll free number. The person that answered the phone obviously did not want to answer any questions and tried to refer me to the Federal Trade Commission. I persisted and he told me that the company they had provided my info to was most likely related to a employer provided disability policy, and that they had my name, address and last 4 digits of my SS. I contacted my employers HR dept and they advised that they have never used the company listed as a carrier for any of our policies, but 6 or 7 years ago there was a supplemental policy offered which I did not sign up for, which could have been with this carrier(Baltimore Life). So, I still don't know why they have info on me and where they got it.
        Thanks for the very informative website!
        Reply to this
  • 2/13/2008 8:20 PM Andree wrote:
    I received a notice about this as well. What seems weird to me is that the letter we received did not mention the "customers or employees of several of the firm's clients: Continental American Medical, EyeMed Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental". I have not as yet called the number they provided in the letter but have instead contacted the HR managers where I currently work and at the job I held up until July of last year to find out if either of them deal with the specific company mentioned in my letter. I'll update you as I find out more. Best to all!
    Reply to this
  • 2/14/2008 1:50 PM Kathy wrote:
    I received this notice and also thought it might be a scam, especially after my call to their 866# only allowed me to leave a message without speaking to anyone. I don't recognize the carrier either (also Balt. Life) and do not remember signing up for a critical care policy. I have checked with my current benefit manager who has had no dealings with this company, and have started working backward with a previous employer from 3-6 years ago. It is very frustrating to think that they are keeping data around, unsecured, and they don't even need to access it. I will let you know if I actually get any information.
    Reply to this
    1. 2/18/2008 5:14 PM Kathy wrote:
      I visited the incident website set up by ASI, http://incident.asibpi.com/index.html They are now offering 12 months credit monitoring to anyone who received this letter.

      I did finally get a call from the 866# I had left a message on last week. They would not answer any questions without my full name or a number from the letter I was sent. I asked to speak to a supervisor who would only give me his first name and employee ID number, yet he insisted I give him enough information to access my sensitive information. Employee ID#'s don't build a lot of trust.

      I have not yet figured out why a company that offered a policy I did not sign up for has any information on me at all, AND how is it that they have my current address? My former employer doesn't even have that.
      Reply to this
  • 2/20/2008 2:36 PM bill wrote:
    Make sure you call Experian Eqifax or Trans Union to file a fraud alert.or you can file a freeze on credit http://www.fightidentitytheft.com/legislation_washington_.html
    Reply to this
  • 2/22/2008 3:20 PM John wrote:
    I would like to confirm the horrible response that I received from ASI. Over a week ago I received the letter. This company handles my roth ira, and do automatic deductions out of my bank acct. When I called the first time, the customer service rep would not give any info to me. I asked him to check my account, and he could not find it, I was xfered to a supervisor, who told me how really serious the theft was for security of my bank account. He told me to get my account changed asap. He told me that ASI would cover the cost of changing my acct, and the cost for new checks( about $90.00) I went to the bank, changed accts and called back to get my reimbusement and another supervisor said "we have decided not to do any reimbusements for the people that were involved in the info theft. I won,t do business with this company anymore. Having your information stolen from a computor theft doesn't show good forethought for security of your customers in a time when computor theft is so prevalent today. The follow up calls to customer service were less than useful as well.
    Reply to this
  • 2/25/2008 8:52 AM Kevin wrote:
    Does anyone know if there have been any reports of this information being used for fraud ? I am not sure if there is really anything to do at this point.
    Reply to this
  • 3/7/2008 10:45 AM Joel wrote:
    I received a second letter yesterday and now they are offering a free 12 month credit monitoring service through Affinion Group. Sound great,right! Wrong, the only way to get the service is to enroll via the mail and you must include your S.S.# on the form. That's real smart.
    Reply to this
  • 3/10/2008 5:15 PM April wrote:
    I also have received 2 of these letters. Just today, I got the one, like Joel did, asking me for the very information that was supposedly on the stolen laptop.

    By the way, each letter listed a different business that I supposedly had business with. I have not had business with either one. I smell a scam folks !

    Did anyone in your phone calls get a Seattle Police Department case number for the stolen laptop incident ?

    I emailed KIRO news 7 investigations after I received todays letter.

    Thanks for this web site folks. Hopefully we can figure out if it's a scam or not and soon !
    Reply to this
  • 3/10/2008 5:50 PM April wrote:
    I did some research on the Privacy Guard company that will give us our "FREE" credit monitoring. (listed in letter 2 if you received one) DON'T SEND THEM ANY INFORMATION !!!! There are numerous stories out there on the web if you just google their parent company :Trilegiant Corporation.

    here is just one story I found:
    http://www.my3cents.com/showReview.cgi?id=33260
    Reply to this
  • 3/11/2008 12:06 PM Joe wrote:
    It looks like they have selected a known and abusive direct marketing firm for their 'privacy guard' offer (1 year of credit monitoring), so it is either a full-out scam or is at least connected with one.

    http://www.consumeraffairs.com/scam_alerts/tlg.html

    http://groups.msn.com/USBankComplaints/usbankprivacyguardandtrilegiant.msnw

    http://en.wikipedia.org/wiki/Affinion_Group

    BTW there is a free and legit means of getting an annual credit report...
    https://www.annualcreditreport.com/cra/index.jsp
    Reply to this
  • 3/11/2008 4:42 PM Sue wrote:
    I heard the server was stolen with over 400,000 names and personal information on it, including those of their employees, past and present. The customer service department was told what to say and not to say and they will give you the police report number if you ask. NFP.com is still currently the parent company who owns ASI & BPI. I find it odd that such a large company, on the NYSE has not sent out anything to clients with their name and backing of the situation. I was told by customer service they are taking it very seriously and that we should make efforts to protect our credit history for a min. of 1-3 years. It has been poorly published to the community and in addition, ASI does work for other companies owned by NFP.COM's companies in other Cities and States. I think a news company should be letting people know. Some people don't even realize that companies they worked for years ago and were made to take the minimum company provided benefits, which gave ASI their personal information that was stolen, was still in their system and compromised by the theft. I find it sad and poorly taken care of on the companies side and the parent company side.
    Reply to this
    1. 3/12/2008 12:01 PM Natalie wrote:
      Your statements are correct. Unfortunately, the letter is not a scam, but they downplayed the problem and omitted a few facts. They failed to say that personal information was not protected whatsoever, they also failed to say that at least 500,000 individuals were affected with information such as SS#, address, bank accts for monthly bank drafts customers, employers info, ph #s, hire dates, salaries, job titles, medical history in some cases, investment acct #s...They called ASI a 3rd party administrator but they are also a broker dealer, handling people's money...They did not mention their sister company, BPI, their sales agency that sells voluntary products to the worksite in WA and OR, all their data was in the same system. Also, they give an Alabama address on the notice while their physical address is in Seattle, they may be doing business in AL but why using that address? And why did they wait until 02/03 to send letters when the theft occured on 12/29? Why did they not offer to fix the problem in their 1st letter by offering free credit monitoring? Why did it take them another few weeks to come up with it? As to their CS phone number, that ph # was set up for this particular problem and employees were given a script. If you want to find out what kind of acct you had with them, call their regular number at 1- ext 250. You will get the same employees on the phone but they may volunteer more info. You can request a copy of the paperwork/ applications you signed upon enrollment, it is your right and they have access to those. Since when do their 4 or 5 CS Reps have id #? Until recently their were giving their own names....It makes you wonder... Also why were employees told to not talk about this to anyone, especially not to leak it to the press? I definitely think that ASI is not always following the rules, and I wouldn't be surprised if they lost a lot of customers after this. This company has changed in the last few months, it is ran by incompetent people and is no longer customer oriented. The girl that mentioned she was going to email KIRO 7 had a good idea, it wouldn't be a bad thing to contact other TV stations and newspapers and have them exposed. It is just not fair that we all try to protect ourselves and our info on a daily basis, to have a company like this blow it for everyone. If they cannot protect their clients' data, then they shouldn't be in business.
      Reply to this
      1. 3/19/2008 4:28 PM Brenda wrote:
        Natalie,
        I have been a victim already of the theft from ASI. On 1-17-08 I called American General to check on a life policy and found that the Beneficiary of the Life Insurance policy had been changed to another person other than my family( I'm still investigating). I had to change the beneficiary back my loved ones. People tend to forget about these things but somewhere in the future they will have to re-live this nightmare. Please check with your insurance company and protect your future this includes annuities, Life Insurance which includes loans on life policies,changes in ownership, changes in beneficiaries etc. Think long and hard because this is not a 2-3 yr. conquest. It is a lifetime. I contacted an attorney whom suggested to send a certified letter to the insurance company putting a freeze on any changes to my policy unless notified by certified mail of changes to be made, but first make sure all the information is correct. I think this is just too much crap to go through and I want someone to take resposibility for my futrue problems that are not necessarily my credit. What about birth certificates, drivers license, etc. If someone got a duplicate Drivers license in my name and have bench warrant out on them. Then, I get stopped for speeding and they take me to jail, then what? I feel that this is only the begnning of alot of hardship that no one is going pay for. I am currently considering a lawsuit, maybe they will pay attention to security mesures after that and potentially be responsible for any future damage at least.
        Reply to this
        1. 3/20/2008 11:38 AM Natalie wrote:
          Hi Brenda,
          I agree with you that this computer theft could be the beginning of a lot of hardship for everyone. We don't know who has our information, what they are planning to do with it and when this will hit..It would be nice to know if the police dept is working on recovering the stolen info and what the status is. As to the change on your policy, somehow I doubt that this is related to this issue. In order to change the beneficiary, someone would have had to fill out the correct forms between 12/29 and 1/17 (it takes way longer than that for processing!), and I don't see how someone would benefit right now...They would have to wait until you die, which could be 50 years from now! I honestly think your issue is caused by ASI or American General mistake. Believe me, these happen quite often...eI would recommend you call ASI and check the benficiary on your policy, and ask them for a copy of the change of beneficiary form, this will tell you if it was changed and when, or if they just messed up, you can do the same with American General.
          Reply to this
          1. 3/20/2008 11:55 AM Evan Francen wrote:
            Hi Natalie, Brenda, et al.

            The Fullerton Police did recover the computer.  I posted the information in the article "UPDATE: A computer stolen from Systematic Automation is found", but now I notice that I did not update this original article.  My apologies for the delay.

            I wish you all the best!

            Evan

            Reply to this
            1. 3/20/2008 11:45 PM Sue wrote:
              Hello Evan. The notice of found computer was for Systematic Automation..... The company computer stolen we are talking about was from Administrative Systems, Inc., who's sister company is The Balanced Program and who's PARENT COMPANY is NFP (located in NY-IPO on NYSE and worth Millions according to google search). Both the ASI/BPI are located and ran in Seattle,WA and not Alabama (according to google & employees) The management portion of company was sold by Alan and Bonnie Cashman &/or NFP in 2007-you can google this and ask employees at company who aren't scripted on what information is given out to those at risk by the stolen computer. NFP was still the parent company, confirmed, as of 2-2008. Still wondering why NFP's name isn't on the website for theft and why the company started and located in Seattle by Bonnie and Alan Cashman says it's address is in Alabama????
              Hope this helps :) Freezing my information, etc.. too! Too many holes in the information being provided to all of us from the management of ASI vs THE INVISIBLE PARENT COMPANY IN NEW YORK!!!
              Reply to this
            2. 3/21/2008 9:41 AM Suzanne wrote:
              That sounds like a different laptop, are you sure it's related to the one stolen from ASI?
              Reply to this
  • 3/12/2008 3:46 PM Sam wrote:
    My wife received one of these letters. She called the CS # and all they wanted was a SS#, they wouldn't do anything without it. She refused of course. We put a fraud alert on her account and signed up for a service separate from ASI's offer. We also received something from the supposed client we never did business with giving us the ASI CS # and the forms for that 12 month credit offer. We'll wait and see what happens. If we have an ID theft, we'll probably get a lawyer and sue them.
    Reply to this
  • 3/14/2008 8:58 AM Ivin wrote:
    After reading the comments here, I refused the offer from ASI and enrolled in another credit reporting company. It costs me $13 a month out of my pocket. Does anyone know if a class action suit has been started against ASI?
    Reply to this
    1. 3/23/2008 1:43 PM LORA BARTON wrote:
      I'm doing the same and I am very interested in a class action suit --- any Lawyers in the mix? Lora B
      Reply to this
      1. 3/28/2008 12:49 PM Tony wrote:
        Count me in. I also received the same letter from ASI. Who knows how many people are at risk? While talking on the phone to one of people who answer the phone, he used the phrase "the number of people was quite unbelievable."
        Reply to this
    2. 5/14/2008 11:45 AM Leve wrote:
      I've been thinking about it and I am glad I did not send my information for that 1 year credit monitoring. I will pay for it myself too. But frankly I think we will need our credit monitored for more than 1 year, since identity thieves sometimes wait longer, after you let your guard down, to hit you; so you don't see it coming.

      I've never heard anything about that class action. Can we at least choose our own credit monitoring company for 5 years and have ASI pay for it. It's the least they can do. If they cannot protect our information, how can we trust them or any other company they chose with very those same information?
      Anyone with me here? We need to act fast.
      Reply to this
      1. 5/21/2008 5:21 AM Ivin wrote:
        I'm completely with you. Sadly, either interest in this matter has stalled or new information is non existent. With 250,000 + victims out there, someone must have something new to share with the rest of us.
        Reply to this
  • 4/4/2008 3:02 PM Dissent wrote:
    Hi Evan,

    I've continued to cover this breach on my site. Union Security Life Insurance informed me the other day that 250,000 of their clients had data on the stolen computer.

    In an earlier follow-up, I reported that in contrast to what ASI said on its web site about the breach affecting "several" clients, the list of carriers affected in NY was 38, even though the total number of NYS residents affected was reported to be under 3,000.

    I'm continuing to dig on this story and have filed another FOIA request. I will post more updates to my web site, www.pogowasright.org, as I get them.
    Reply to this
  • 6/17/2008 6:10 AM Ivin wrote:
    On June 2 a box of tapes were stolen from a car. The tapes were from a local hospital & contained the personal info on patients from the past sixteen years. The hospital is offering one year free credit checks. It took just three days for a class action lawsuit to be filed. Is the theft of this ASI computer a dead issue???
    Reply to this
  • 6/18/2008 11:48 AM Dissent wrote:
    Ivin: ASI is a TPA. Perhaps if really disgruntled folks contacted their employers or insurance providers or whoever sent their data to ASI and asked if they are still using ASI and raised some kind of ruckus, that might be another way to get some results. If ASI were to lose clients because of the breach or were to offer something more to those affected because those affected put pressure on the clients, would that satisfy you?
    Reply to this
  • 6/18/2008 4:12 PM Chuck wrote:
    Ivin: Not to be too sarcastic but we can only hope this issue is "dead". It would mean nobody has had anything happen to their credit/financial situation. Those affected may not like the vendor, but ASI is offering a year of credit checking. As far as a lawsuit, someone will need to show a loss somewhere otherwise what are you suing for, loss of sleep?
    Reply to this
  • 6/19/2008 9:49 AM Judd wrote:
    RE: I am amazed that you were able to flatly state that "nobody has had anything happen to their credit/financial situation." No one outside of ASI knows the number of persons involved. The list of companies sent by ASI to the states' attorneys general is astounding. I worked for American General Insurance (just one of those listed) in the 90's and I would never even begin to estimate the number of people they insure. I can tell you that in the very early 90's they were proud to lay out the fact that at that time they held 35 billion dollars of assets. Your comment again that "nobody has had anything happen" is so small minded that I find it hard not to wonder about your employer's name. As for your attempt at humor in ending with "what are you suing for, loss of sleep," lacks any humor at all to a person suffering from depression, anxiety disorder and PTSD. When many millions of Americans stand to have their privacy invaded, you find humor? The issue at hand is in reality is "Failure to protect the privacy of their clients" private information of the paying customers. You might evn call it a "breach of the public trust." So, just think about it, any website that you can find on the net can be view worldwide. How safe would you feel "Chuck" if someone posted your SS number, address, phone numbers, height, weight, etc.? If you find this humorous, please reply by posting the previously mentioned information and please be sure to use your real information, after all, as you pointed out, "ASI is offering a year of credit checking."
    Reply to this
    1. 6/19/2008 1:10 PM Chuck wrote:
      I didn't state "nobody has had anything happen to their credit/financial situation" I stated that we can only hope the issue is a dead one (i.e. the computer stolen is not being used for stealing identity)which would mean no one's ID is stolen. I'm one of those who received a letter from this company and so far as I know, no one has reported anything occuring from this incident (including me).
      My point on the lawsuit is simple: If you can prove a "breach of trust" when the computer was stolen out of their building (as opposed to someone losing the computer outside the building) then sue them. But my guess is that you can show no loss as yet. That doesn't mean their won't be a loss to be shown in the future, but some folks seem to want to start a lawsuit now without loss being shown, which would probably not get very far. Sorry if I offended......
      Reply to this
  • 7/28/2008 10:18 PM Leve wrote:
    Nobody is suing for loss occured, but I think the compny should have te decency of allowing people to chose an identity theft prevention they trust instead of just picking up one. After what happened with my info with ASI, it's hard for me to just mail my info to a company of their choice that I can't even reach over the phone. Don't you think we are entitled to our choice to protect our info if we feel uncomfortable what ASI offers? If yes, then we should fight for that instead of just waiting for something to happen to us. There is enough stress going around already for us to add "identity theft" possibility to it. I hope I am not the only victim feeling that way.
    Reply to this
  • 7/10/2009 8:51 PM Sarah wrote:
    We also got a notice that our information was compromised and I'm just not comfortable signing up for this company they have chosen. I had to make sure this wasn't a scam in the first place. It's ridiculous how many people have access to our private information. Today is the deadline to sign up for the credit monitoring and I can't decide if it's a good idea or not. I want to keep an eye on our credit, but not if it puts us at more risk.
    Reply to this
  • 7/16/2009 7:33 PM Shan wrote:
    Ok It's been while since anyone posted a comment on this blog but now I have questions. I also received the initial letter 02/2008. Now I received a packet 7/16/09 about a class action lawsuit someone filed. Also more info for the 1 free year of privacy guard. I haven't responded to anything seeing that everyone who did try to call was also asked for more sensitive info so I'm not going there. I did previously put the fraud alert on my credit report and I'm going to get a report this week online. I wanted to know if anyone has any new info or have any idea whats up with this. I have no clue who the insurance company listed on the initial letter is and I'm still concerned about this.
    Reply to this
    1. 7/17/2009 8:44 PM Bernie wrote:
      I had my identity stolen as a result of the incident. It happened around 2/11/08. 13 accounts totaling $25,000 were opened in my name in two days. I had to clean up the mess-It took about a year to have it all taken from my credit report. SEveral attorneys and the police told me that the reality of it is that it is hard to PROVE it came from ASi since breaches happen all the time. I think there are power in numbers and even though they are not offering much compensation,I am going to be part of the class action lawsuit. Call the attorneys listed on the paper-The ones in Seattle. THey are legit. I want some justice!!!!
      Bernie
      Reply to this
  • 5/25/2010 8:15 AM IT Support Melbourne wrote:
    Evan, you make some excellent points. The statements in ASIs response are indeed pretty vague. What exactly IS being changed? I would guess very little. There has eventually got to be some serious consequences for companies that let something like this happen, like a huge fine of some kind.
    Reply to this

Page: 1 of 1
    Leave a comment