On February 28, The Hartford detected that a virus had infected their Windows-based servers. The virus had the potential to capture personal information involved in online transactions including bank account numbers, Social Security Numbers, user account logins/passwords, and credit card numbers.
By letter dated March 10 to the New Hampshire Attorney General’s Office, The Hartford wrote:
At this time, we are still unsure as to whether or not any personally identifiable information was captured but have no reason to believe that any information has been or will be misused.
I’ll let you scratch your head over that one. People who create viruses or infected downloads do so to acquire and misuse information, right? Maybe the company has “no reason to believe” that any information that might have been captured has been misused, but does it really have any reason to believe that it won’t be misused if it was, in fact, captured?
In its letter to employees dated March 11, the firm noted that anyone who logged into the system between February 22 – February 28 should take certain precautions. To assist them, the company offered them two years’ of credit monitoring and identity theft protection services.
Although the firm did not directly explain how their servers were compromised, statements in their letters and FAQ suggest that their anti-virus software had not detected a virus attached to a file an employee downloaded from an unknown source on the Internet.
Update: Ha! I no sooner get done posting this, then I discover that Bob McMillan has reported this incident for IDG News. Bob reports that 300 employees, contractors, and a few customers were notified. You can read his coverage on ITWorld.