Aon consultant posts personal information belonging to Delaware retirees online
|
Date Reported:
8/31/10
Organization:
State of Delaware
Contractor/Consultant/Branch:
Aon Consulting
Location:
Online
Victims:
"state retirees"
Number Affected:
"about 22,000"
Types of Data:
Personal information including Social Security numbers, gender, and age.
Breach Description:
"DOVER, Del.—Aon Consulting Inc. inadvertently revealed the Social Security numbers, dates of birth and genders of about 22,000 retirees from the state of Delaware, the consultant said."
Reference URL:
The News Journal
The News Journal (2)
Businessinsurance.com
Report Credit:
J.L. Miller, The News Journal
Response:
From the online sources cited above:
DOVER, Del.—Aon Consulting Inc. inadvertently revealed the Social Security numbers, dates of birth and genders of about 22,000 retirees from the state of Delaware, the consultant said.
[Evan] Quality of service?
The data, which did not include individuals' names, appeared on the state's website between Aug. 16 and Aug 20 in a vision benefits request for proposals that Aon had prepared for the state, before the information was discovered and removed, according to the consultant's Chicago-based parent, Aon Corp.
In a statement, Aon said, as a normal course of business for public entities, the RFP for vision benefits was posted on the procurement section of the state's website so interested bidders could access the questionnaire and worksheets.
[Evan] Maybe a quality assurance function should be added to the "normal course of business".
Normally, personally identifiable information is randomized “so that individuals cannot be identified in any way,” an Aon spokesman said. The company is investigating the breach, but there have been no reports of any fraudulent activity, he said.
Aon said potentially affected retirees were being notified and would receive free credit monitoring services for a year and access to a toll-free customer care center for additional assistance.
[Evan] Credit monitoring is fine, but it is a detective measure not a preventative one. People will be notified once they have already become a victim of identity theft. It's better than nothing, but less effective than keeping the information safe in the first place.
Delaware’s Office of Management and Budget said in a statement that it, as well as the Delaware Department of Technology and Information, the Office of the Attorney General and the State Pension Office, are “overseeing the steps Aon is taking to support persons affected by this incident and prevent future incidents of this nature.”
The statement also said that because the incident response is also governed by federal Health Insurance Portability and Accountability Act regulations, Aon Consulting will notify the U.S. Department of Health and Human Services of the security incident.
Robert Siciliano, a Boston-based security and identity theft consultant for Santa Clara, Calif.-based McAfee Inc., said that because names are not necessarily always correlated with Social Security numbers when applying for credit, identity thieves still could use the Social Security numbers with false names.
[Evan] Sad, but true. This data is less valuable to a fraudster than if it contained names, addresses, etc., but it is still valuable.
A laptop belonging to Aon Consulting that had the names and Social Security numbers of 57,160 individuals collected on behalf of Verizon Inc. during a pre-employment testing and application process was stolen from a New York restaurant in May 2008.
[Evan] "About 2,000 past and present employees of Park National Corp." were affected by a lost Aon Consulting laptop in May, 2008 as well (see below). I'm not sure if these two breaches are related.
"We cannot determine" whether there has been any fraudulent activity as a result of that breach, the Aon spokeman said in an e-mailed statement.
Angry state pensioners swamped Aon Consulting's phone lines Tuesday after opening their mailboxes and finding letters informing them that the benefits consultant had inadvertently posted their Social Security numbers and other personal information on the Web.
Retirees interviewed Tuesday were emphatic on one point: One year of free credit monitoring is not enough.
[Evan] People have lost (or are losing) patience with organizations that expose their personal information.
The former employees have been offered one year of credit monitoring with the credit bureau Experian.
[Evan] I have said this before, but I like to sound like a broken record ;). I have trouble with Experian offering credit monitoring services for profit. Isn't Experian responsible for collecting this information and maintaining accuracy in the first place? Why do they charge you to ensure that their records are accurate. Seems like they have pulled the wool over everyone's eyes.
Scores of callers to The News Journal said they had difficulty getting through to Aon, but that, once they did, the process went smoothly. Callers to Aon who were affected by the data breach are referred to Experian.
Kimberly Barone, a retired Colonial School District teacher, said "there are no words" to describe how angry she is.
"I signed up for the Experian thing. What's one of the first things they asked me for so I could sign up? My Social Security number," Barone said. "I kind of went off a bit and then I was thinking, it's not this person's fault."
Letters from Aon began arriving in retirees' mailboxes Tuesday, and some families got more than one.
"I got one, my wife got one and my son got one," said Joseph Sudimak, who is retired from the Indian River School District. His wife and son also are retired school employees.
"How could this happen? As careful as we try to be, and the state or an agency of the state does something like this to us," Sudimak said. "They ought to offer [free credit monitoring] to us for a lifetime."
[Evan] I am interested in people's comments regarding Mr. Sudimak's comments.
Commentary:
How comfortable are you with how your consultants, vendors, and/or partners handle your sensitive data? If you're not, or you don't know, you had better do more to manage the risks surrounding these relationships!
Past Breaches:
Aon Consulting:
May, 2008 - Consultant loses laptop with Park National employee information
Posted by Evan Francen at 9/3/2010 2:17 PM 
Categories: Aon Consulting, Employee Mistake, State of Delaware
Categories: Aon Consulting, Employee Mistake, State of Delaware
Posts Atom 1.0
I have some additional follow-up on this breach on my site. Aon has already had a class action lawsuit filed against it, but what gets me is that Aon is taking all of the heat for this. Their previous submissions of the proposal did not contain the PII. It was only their last submission, it seems, where the PII were included. Significantly (to me): Aon didn't upload the file to the state's procurement site -- the state did. And the state is taking the position that they're not responsible because they had looked at previous submissions and there was really no reason to look at the final one -- or something like. I think if you're uploading something to your site, you have some responsibility to look at it first, don't you?
Reply to this
Interesting. Based on your comment, there is certainly shared responsibility and shared liability. The state was given (or collected) the information from the employees in the first place, which provides the basis of the "owner" and "custodian" relationship, roles, and responsibilities. I think you could easily make the case that even if the state did not post the information to their web site (which they allegedly did), they have an obligation to ensure owner information is/was maintained in a secure manner. By engaging a 3rd party like Aon the state can transfer some risk, but they typically cannot transfer liability. Aon becomes a shared custodian of the owner's information, but not the sole custodian. Make sense? If not, I can elaborate.
I agree with your comment. The state is responsible for what they allow to be posted publicly, especially if they are the ones doing the posting!
Based solely on the information on your site and that which is publicly available, I would be surprised if this lawsuit was successful.
Reply to this
I haven't read any sources that suggest that the lawsuit against Aon has any chance of prevailing. I haven't seen anyone try to sue the state, although I doubt any such suit could prevail for all of the usual reasons.
Reply to this