Aviva USA is notifying hundreds customers that their Social Security numbers may have been acquired after malware infected one of their computers.
In a May 28 letter (pdf) to the New Hampshire Attorney General’s Office, Aviva’s Chief Privacy Officer Carolyn Gee explained that the exposure occurred while the company “was conducting online research to locate the most current address information for policyholders or beneficiaries whose correspondence had been returned as undeliverable.”
The company believes that the Social Security Numbers and names and/or addresses of approximately 550 customers may have been acquired during the period between December 30, 2006 and February 24, 2009. There was no indication in the report as to when Aviva first became aware of the problem.
As part of its response to the breach, Aviva has changed the login passwords for some employees whose passwords may have been compromised and has offered those affected services through Debix.
According to a spokesperson for Debix with whom I spoke earlier today, Debix will continue to place fraud alerts on consumer’s credit reports for the next three months while they transition over to a new service that they will introduce in September. Unless Congress introduces legislation to amend the language of FACTA to allow businesses to place fraud alerts on a consumer’s behalf, companies that placed such alerts, such as Lifelock, are all likely to change their services in light of a recent court ruling.
Updated July 6: Aviva’s notification to the Maryland Attorney General’s Office indicates that a total of 550 individuals may have been affected.