A report to the Maryland Attorney General’s Office from ING gave me pause because I don’t remember ever seeing a security issue like this before in a breach report. In their notification, ING writes (emphasis added by me):
ReliaStar Life Insurance Company (RLIC) is responsible for premium administration for RLIC insurance products purchased by employees of our clients. An encrypted electronic file containing the personal information of one client’s employees, including several Maryland resident (sic), was inadvertently made available to another company’s Human Resources (HR) department due to an isolated administrative error. The encrypted file included the individual’s (sic) name and social security number. Our password-based registration encryption system prohibits the wrong addressee from opening an encrypted e-mail. Because the e-mail was addressed to the wrong client, that client was able to open the e-mail.
The receiving (incorrect) employer notified ING on June 3 and ING worked with them to securely delete the file and protect the data.
Of the individuals affected, 473 were Maryland residents.