Genworth Financial customer data on stolen computer
Technorati Tag: Security Breach
Date Reported:
3/21/08
Organization:
Genworth Financial
Contractor/Consultant/Branch:
Genworth Life and Annuity Insurance Company
International Brokerage Dallas ("IBD")
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, date of birth and Social Security Number
Breach Description:
"When you applied for insurance coverage with us, your application was submitted through an independent insurance agency authorized to sell our insurance products. Recently, we learned that this independent insurance agency was burglarized on February 16, 2008. and that the burglars stole computer equipment. This equipment contained information needed to process your insurance application, including, among other data, your name, address and Social Security Number."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Pursuant to RSA 359-C:20 I(b), Genworth Life and Annuity Insurance Company ("GLAIC") and Genworth Life Insurance Company ("GLIC") are writing you to provide notice of a breach of security involving New Hampshire Residents.
[Evan] This breach affected persons residing in other states too. This is the New Hampshire breach notification.
GLAIC and GLIC received notice of this breach on February 20, 2008.
the security breach involved the theft of computer equipment that occurred during a burglary of the offices of International Brokerage Dallas ("IBD"), a Texas-based independent insurance agency.
IBD is an independent insurance agency that has contracted to sell GLAIC's and GLIC's insurance products.
[Evan] Whose responsibility is it to secure this information? GLAIC, GLIC, IBD, or all of the above? My answer is all of the above. This information was not adequately secured.
the burglars stole some computer equipment containing information necessary for customers' insurance applications.
We are advised that the only information on the computer, which was password protected, was name, address, date of birth, and Social Security Number.
[Evan] Oh, that's it? Sheesh, I thought there might be some personal information. (sarcasm) No need to even mention password protection because it is hardly adequate protection.
Because there can be no assurance that efforts to access the data on the computer will not be made, GLAIC will be notifying these individuals of the breach.
The authorities have advised us that the nature of the burglary and the items taken suggest that the break-in was intended to obtain electronic office equipment rather than data itself.
[Evan] Minimize.
We are providing you a free one-year subscription to a credit-monitoring product
[Evan] Monitoring is after the fact. By the time a victim is notified, he/she is already a victim.
We sincerely apologize for the concerns this burglary has caused.
[Evan] Is the burglary the cause of concern or is it the poor information security practices?
If you have any questions of if there is anything that we can do to assist you, please call us at .
Commentary:
Breaches such as this demonstrate the importance of convergence between technical and physical security. We don't know the details of any physical controls in place to prevent this breach, but we can infer some issues around technical security.
What is the company policy around the required protection of confidential information at rest? Does Genworth enforce information security policy and procedures with their independent agents? Does Genworth of IBD plan to improve anything to reduce the risk of the same thing happening in the future? So many questions...
Past Breaches:
Unknown
Date Reported:3/21/08
Organization:
Genworth Financial
Contractor/Consultant/Branch:
Genworth Life and Annuity Insurance Company
International Brokerage Dallas ("IBD")
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, date of birth and Social Security Number
Breach Description:
"When you applied for insurance coverage with us, your application was submitted through an independent insurance agency authorized to sell our insurance products. Recently, we learned that this independent insurance agency was burglarized on February 16, 2008. and that the burglars stole computer equipment. This equipment contained information needed to process your insurance application, including, among other data, your name, address and Social Security Number."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Pursuant to RSA 359-C:20 I(b), Genworth Life and Annuity Insurance Company ("GLAIC") and Genworth Life Insurance Company ("GLIC") are writing you to provide notice of a breach of security involving New Hampshire Residents.
[Evan] This breach affected persons residing in other states too. This is the New Hampshire breach notification.
GLAIC and GLIC received notice of this breach on February 20, 2008.
the security breach involved the theft of computer equipment that occurred during a burglary of the offices of International Brokerage Dallas ("IBD"), a Texas-based independent insurance agency.
IBD is an independent insurance agency that has contracted to sell GLAIC's and GLIC's insurance products.
[Evan] Whose responsibility is it to secure this information? GLAIC, GLIC, IBD, or all of the above? My answer is all of the above. This information was not adequately secured.
the burglars stole some computer equipment containing information necessary for customers' insurance applications.
We are advised that the only information on the computer, which was password protected, was name, address, date of birth, and Social Security Number.
[Evan] Oh, that's it? Sheesh, I thought there might be some personal information. (sarcasm) No need to even mention password protection because it is hardly adequate protection.
Because there can be no assurance that efforts to access the data on the computer will not be made, GLAIC will be notifying these individuals of the breach.
The authorities have advised us that the nature of the burglary and the items taken suggest that the break-in was intended to obtain electronic office equipment rather than data itself.
[Evan] Minimize.
We are providing you a free one-year subscription to a credit-monitoring product
[Evan] Monitoring is after the fact. By the time a victim is notified, he/she is already a victim.
We sincerely apologize for the concerns this burglary has caused.
[Evan] Is the burglary the cause of concern or is it the poor information security practices?
If you have any questions of if there is anything that we can do to assist you, please call us at .
Commentary:
Breaches such as this demonstrate the importance of convergence between technical and physical security. We don't know the details of any physical controls in place to prevent this breach, but we can infer some issues around technical security.
What is the company policy around the required protection of confidential information at rest? Does Genworth enforce information security policy and procedures with their independent agents? Does Genworth of IBD plan to improve anything to reduce the risk of the same thing happening in the future? So many questions...
Past Breaches:
Unknown
Posted by Evan Francen at 4/6/2008 8:18 PM 
Categories: Genworth Financial, Stolen Computer, International Brokerage Dallas
Categories: Genworth Financial, Stolen Computer, International Brokerage Dallas
Posts Atom 1.0
genworth financial cto speaks at penn state university
Michael McGarry, the Chief Technical Officer at Genworth Financial, gave a presentation to the SRA Club at Penn State University.
McGarry’s presentation consisted of:
An overview of Genworth Financial, an insurance company parented by General Electric
Michael McGarry’s journey from a high school student in Cleveland to becoming a CTO at an international financial security.
**********
Case study of a critical security breach at Genworth Financial that coincidentally occurred during the most crucial stage of its IPO.
**********
Career and interview advice to IST and SRA students
Reply to this