Nationwide computer network hacked in October: company

A recent hack attack on the computer network used by Nationwide Insurance in the United States may have exposed personally identifiable information of approximately one million policyholders and non-policyholders, prompting the company to commission an external review and highlighting the perils of data breaches.

On October 3, a portion of the computer network used by Nationwide Insurance and Allied Insurance was “criminally intruded upon by an unidentified criminal perpetrator,” notes a company statement posted online last Thursday. Discovered the same day, the breach was reported to law enforcement authorities, who are actively investigating the incident.

Although the investigation is continuing, Nationwide reports an initial analysis indicates personal information of certain individuals that may have been compromised includes names and social security numbers, driver’s licence numbers and/or dates of birth, and possibly marital status, gender, occupation and employer name and address.

“Nationwide immediately took steps to secure the network. The company hired independent, third-party experts to analyze the impacted data and computer network,” notes the statement. “We believe that we successfully contained the attack through our responsive actions.”

On November 2, the insurer received confirmation of the identities and addresses of individuals whose personal information it believes was compromised. “At this time, we have no evidence that any medical information or credit card account information was stolen in the attack.”

The California Department of Insurance (CDI) was among the state regulators notified of the breach. Dave Jones, California’s insurance commissioner, says the insurer notified the CDI in November that a database was recently compromised and resulted in “the theft of confidential information for one million policyholders and non-policyholders.”

Jones has announced his office will conduct a review of Nationwide/Allied Group’s cyber security measures to ensure the company is doing everything it can to protect consumers from theft or loss of their personal information.

“In a global economy, driven by electronic commerce, it is essential that all necessary steps are taken to ensure consumers are protected from an unintentional release or criminal theft of their personal data,” the commissioner says.

At this point, the CDI is satisfied Nationwide is taking appropriate first steps to notify consumers whose information was accessed and is providing assistance.

Nationwide has offered each affected customer one year of free credit monitoring and identity theft protection through Equifax. This includes notification of any changes to credit information, as much as US$1 million identity fraud expense coverage and access to their credit report.

Despite concern over cyber risks, “many companies continue to underestimate or not recognize the potentially serious financial impact of a major cyber event,” states a report from Chubb Group of Insurance Companies, titled U.S. Public Companies Perceptions of Risk, and Their Risk Mitigation Strategies, which features findings from the Chubb 2012 Public Company Risk Survey.

The report cites a 2011 study from The Ponemon Institute, which indicates the typical data breach last year resulted in total costs of $194 per record (including notification, call centres, forensics and other direct expenses) and $5.5 million in total organizational costs. All figures are in U.S. currency.

A whitepaper from NetDiligence, based in Philadelphia, pegs $3.7 million as the average cost per data breach that occurred between 2009 and 2011. Cost averages are based on 58 events, for which the insurer provided a detailed breakout of what was paid on the claim. The costs are from the insurer’s perspective and the study focused primarily on insured per breach costs.

Whatever the cost in millions of dollars, almost two-thirds of public companies, 64%, do not buy cyber insurance, notes the Chubb survey. The phone survey by Pollara involved 145 public companies – including financial, information technology and industrial – in the United States and Canada.

The lack of insurance is despite an almost equal percentage, 63%, of decision-makers saying they are concerned about cyber risk. In all, 19% of respondents were very concerned about an electronic security breach of customer or employee data, 44% were somewhat concerned, and 37% were not concerned.

A cyber security readiness survey from The Ponemon Institute, involving 803 individuals from various industries in the U.S. and released last month, notes that gaps in the perception of the true costs of data breaches persist.

“Although organizations have become more aware of potential threats, they do not seem to accurately perceive the repercussions associated with data breaches,” Dmitry Shesterin, vice-president of product management at Faronics noted, which sponsored the survey, said at the time.

Of the 60% of businesses surveyed who had experienced a data breach within the last year, they reported time and productivity losses, serious reputational damage, loss of customer loyalty, legal costs and to a lesser extent, lawsuits and regulatory fines.

Responses from the Chubb survey, however, offer some positives. Of the companies surveyed, 52% are dedicating additional resources to mitigating cyber risk (3% are allocating fewer; 45% are allocating the same), and half of companies that currently do not have an e-security incident response plan expect to develop one over the next 12 months.

Chubb’s risk perceptions report also notes the biggest increases in resources allocated to risk mitigation over the past year relate to “mitigating risks from electronic security breaches, corporate governance, and financial and disclosure controls.”