DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Breach notification done right? (Nationwide hack, updated)

Posted on November 17, 2012 by Dissent

I spend a lot of time criticizing breach notifications, so it’s nice when I can occasionally point to a positive example.

Without considering whether the breach could have been prevented, consider this notification letter from Nationwide Insurance, dated November 16:

We want to make you aware that a portion of our computer network was criminally attacked and we believe that the attack compromised some of your information. We are very sorry that this situation has occurred. Protecting the privacy and security of your information is a top priority for us, and we want to assure you that we have taken steps that will prevent this type of attack from happening again. Although we are not aware of any misuse of your information at this time, we want to inform you about the situation and encourage you to take the steps below, including taking advantage of the credit monitoring and identity theft protection product we are providing to you at no charge.

The Incident

On October 3, 2012, a portion of our computer network that is used by Nationwide Insurance agents and Allied Insurance agents was criminally intruded upon by an unidentified criminal perpetrator. We discovered the attack that day, and took immediate steps to contain the intrusion. We believe that we successfully contained the attack through our responsive actions.

We promptly initiated an investigation of the attack and on October 16, 2012, we determined that the criminal perpetrator had likely stolen some personal information from our systems. On November 2, 2012, we received confirmation of the identities and addresses of the individuals whose personal information we believe was compromised. Although we are still investigating the incident, our initial analysis has indicated that the compromised information included your name and [Social Security number, driver’s license number, date of birth] and possibly your marital status, gender, and occupation, and the name and address of your employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack.

You can read the full letter on the California AG site.

I realize that there are some states where notification 6 weeks after the discovery of the incident would violate a timeliness provision in reporting, but overall, they detected the breach quickly, secured it quickly, and within one month, were able to construct a list of affected individuals. Could they have gotten the actual letter out faster than two weeks from confirmation of identities and addresses? Probably, but overall, I’m favorably impressed. Your mileage may vary.

Update of Nov. 30:  I have other blog entries that provide more recent information on this breach that you may wish to see: here and here.

Also, for those of you who cannot understand how/why Nationwide had all your information, the California Department of Insurance is investigating the breach.  At the bottom of their notice they add:

Media Note: The Nationwide affiliates affected in California by the breach include: Nationwide Mutual Insurance Company, Nationwide Insurance Company of America, Allied Property & Casualty Insurance Company, AMCO Insurance Company, Depositors Insurance Company, & Titan Indemnity Company.

Nationwide has also created a web site about the breach.

If you are not satisfied with the response you get, you might try contacting the Dept. of Insurance and tell them your concerns.

Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← Jerusalem College of Engineering hacked by @VenomSec
Data Breach Class Action against Popular Video Game Developer Dismissed for Failure to Plead Adequate Damages →

46 thoughts on “Breach notification done right? (Nationwide hack, updated)”

  1. Kirk says:
    November 20, 2012 at 10:23 am

    I got the notice, yet have never applied for nor gotten Nationwide insurance; how would they have my personal information in the first place? It directs me to a website but why does it instruct me to enter all my personal information? I think Nationwide could identify me using only the “promotion code” on the letter.

    1. admin says:
      November 20, 2012 at 10:55 am

      Is it possible that you were a family member/beneficiary of someone who was/is covered by Nationwide or Allied?

  2. Alex says:
    November 25, 2012 at 5:32 pm

    I also received the letter. Why does it direct me to enter my personal information. Seems they already have it. Also, like Kirk says… I have no relation with Nationwide. If I find out that Nationwide indeed has my info, and was truly hacked, and if any ill comes of it.. I will be contacting my lawyer. Heck. forget the if ill comes of it. if they have my personal info and it was indeed hacked, i’ll be contacting my lawyer.
    personal info means. SSN, DOB, DL#, CCinfo… etc..
    I do know that my name and address are public info.
    Can’t wait till tomorrow’s phone call.

    1. admin says:
      November 25, 2012 at 6:04 pm

      Let us know what they tell you about how they got your info, please.

  3. Joe says:
    November 27, 2012 at 12:47 pm

    I received the same letter even though I have Allied (probably an affiliate) and that is why they had my info. They have everything. There is nothing I can do now to protect myself, I’ve tried so hard my entire life by shredding documents to protect that, and the company can’t even keep it safe???

  4. CL Smith says:
    November 27, 2012 at 6:15 pm

    I recieved the letter and after reading that I had to enter all of my personal info to sign up, I was cautiuos to say the least. I called my local NW ins. office and verified that they were familiar to which they said yes, and directed me to the dept that was handling this. I also, have never had NW ins or Allied Ins, however, they advised that this was very possibly a result of my own insurance agency doing a search for better rates. The information that was “criminally attacked” was any information that was used in this process. And, for those that are not familiar, your credit is run now to determine your insurance rates. The worse your credit is, the highter your insurance can become.
    I have signed up, but have to say.. the criminal that attempts to get credit/car/house etc under my credit will be kicking themselves for being an idiot.

  5. Jim says:
    November 28, 2012 at 9:43 am

    I live in Missouri and just received the letter. I can’t understand why any company would want to keep sensitive information. I did have a policy through this company, but it has been approximately 1 year since I have used them as an insurance company. I was told that they keep personal information on hand for 7 years.

    1. Anonymous says:
      November 30, 2012 at 1:31 pm

      Me too! I cancelled my policy with Nationwide back in June. I am really upset that they failed to protect my personal information. Even more-so because I am not even a customer of theirs anymore. What a headache.

  6. nationwide sucks says:
    November 30, 2012 at 4:34 pm

    My spouse and I have never NEVER used nationwide. However, we both received letters saying our information had been hacked. This kind of stuff is just ridiculous. They should not be allowed to keep that information on file. It should be destroyed. This is rocket science, its good business. I don’t keep my client files. I keep basic information such as a PHONE Number and name, but private information remains private. It would not be hard for companies to make a similar system.

  7. Joe says:
    December 1, 2012 at 12:15 pm

    I wonder if there is a way to start a class action law suit to make them pay for identify security for life!

    1. admin says:
      December 1, 2012 at 8:24 pm

      I’ve never seen any lawsuit accomplish that. In fact, any lawsuit against them stands a good chance of failing if the plaintiffs can’t show actual unreimbursed harm.

  8. Mary says:
    December 1, 2012 at 8:10 pm

    I have never had, nor applied for, Nationwide Insurance or Allied Ins. so I don’t understand why my personal information was in their files to begin with. How can they say that they “are not aware of any misuse of your information at this time” in the letter they sent out? How do they know that it wasn’t and won’t be misused? I agree that whoever is responsible for this security breach ought to be sued.

    1. admin says:
      December 1, 2012 at 8:26 pm

      I wish you and everyone else who has no idea how Nationwide got their data would call or send registered letters to Nationwide and demand to know how they obtained your data – specifically. Not “We might have gotten it because you…” but an actual accounting of where the data came from. Of course, that’s pretty futile as dollars to donuts, they won’t be able to tell you, but Congress really needs to be made aware of this case as an example of the problems consumers face protecting our information.

      1. LadyB says:
        December 1, 2012 at 11:40 pm

        Depending on the state you live in, they may be legally obligated to tell you how, from where or whom, and when they obtained your data. I worked for a company where part of my job was digging in our databases to respond to consumer requests for this information. We extended this service to anyone who called rather than just the states that require it, so I can’t tell you which ones are covered and which ones aren’t.

        1. admin says:
          December 1, 2012 at 11:50 pm

          Good to know that some states require such disclosure – I’ll ask around to see if I can find a list – thanks! Can you tell us what state you worked in so we’ll know at least one state that requires it?

          1. LadyB says:
            December 2, 2012 at 12:04 am

            I worked in a Wisconsin office for a company based in New Jersey or Pennsylvania – sorry it’s been a decade or 2. Our customers were from all 50 states, all the US territories, and Canada.

          2. admin says:
            December 2, 2012 at 12:08 am

            I’ll keep checking. So far, no joy but it’s late, I’m tired, and will try again next week.

          3. LadyB says:
            December 5, 2012 at 7:33 pm

            Sorry–been out of town for a funeral. The hotel didn’t have internet.

            Just called and spoke to to a live person today. Wisconsin must be one of the states that they have to tell you because both my cousin and I were among the notified. He called Monday and they called him back this morning with the info. I called this morning and have been promised a call by the end of business on Friday. His bank offered him an auto insurance quote that “would be less than what he was paying”. They didn’t bother to mention that they’d be sharing his social with multiple companies. I’m suspecting this is how they got my info too. btw – for both my cousin and I the bank’s rates were 10% MORE than what we were paying at the time. Didn’t ask my cousin who he banks through, but my bank is Wells Fargo…not sure for how much longer.

  9. jim says:
    December 2, 2012 at 12:46 pm

    I am in Omaha, Ne and received ” my ” letter from Nationwide Insurance on Nov29, 57 days after the info was lost. I had done business Peterson Bros Insurance in Omaha,Ne and purchased Allied insurance from them about six years ago. I was assured that my sensitive information was safe , I never dreamed that the company they represented to me would still hold that information six years or so later. I suppose the company in question “keeps” this information so that they can sell it for a profit? But what does that cost us as individuals? Sealing your credit only fixes a small part of a potential problem. What if someone with YOUR identity purchases a car, cable tv, phone service, and that vender fails to check his?/YOUR credit report? Who will they come after??? They are coming after the guy with your social security number, your drivers license number,your address, your phone number, and they want their money, and they will not leave you alone till you pay up. Check your mail lately? Did Nationwide send a letter here that deserves praise? You be the judge

    1. admin says:
      December 2, 2012 at 2:01 pm

      As I pointed out, my comments weren’t addressing whether the breach or data loss could have been prevented. I was only commenting on the written communication about the breach and whether it provided sufficient info on the incident and support. Your questions are good ones, though.

  10. jim says:
    December 2, 2012 at 10:22 pm

    Ok, It was a nicely written letter. But let’s us think about the reality of identity theft. Watching your credit via the credit bureau can’t be too hard, although you do have to renew it ever 90 days. And having support for a year fending off bill collectors could surely help. But, what happens after a year? Identity thief can potentially last a lifetime. Your identity can be sold , and later, sold again, and again, people at different places can keep showing up as YOU. Long periods of time pass and one may think ” thank God it’s over ” only to have it start up again. This letter tells me that I will be looking over my shoulder for the rest of my life. Those numbers are ME! They are my name. It is the family name that my father and his father before him worked hard to be proud of. And it is the name of my son. The thought of a dishonest person or persons using my family name to lie, steal, and cheap honest folks hurts me to my very core. Ok, it was a nicely written letter. But I hope my son does not get one, he is still insured with Allied.

  11. Joe says:
    December 3, 2012 at 9:05 am

    I agree with you guys, especially Jim. This is a lifer… When talking to the insurance company they said “we are giving you one year free!” I said…

    “If the hacker is smart enough to hack YOUR ‘secure’ system, then they are smart enough to know the offer you are giving everyone one year. They are smart enough to wait a year to use it or sell it. This isn’t something that goes away or involve numbers I can change. My SSN and name are permanent… I have to watch this for the rest of my life, one year is not enough!”
    a
    This really pisses me off knowing that they MADE me give them this info. not to mention the fact that they have the “right” to have your info and sell/give it to “partners” to “help provide better services.”

  12. Dakota says:
    December 3, 2012 at 5:53 pm

    Why the heck was this information not encrypted? Network/Internet Security 101 stresses NOT to put SS#, DOB, Names, addresses in the same file. Just for the reason if someone hacks in they get at least encrypted SS#s with no other personal information! Why would any company put client information in a potential storage location that was not encrypted!?!?

    1. Joe says:
      December 4, 2012 at 5:38 am

      When explaining this to my state’s department of agency they said “well they tried, so why should they be responsible?”
      I said, I can say I closed my front house door, and get robbed and tell the insurance company “I tried to secure my house by shutting my door” and that wouldn’t be acceptable even though it was a “try”. I said, if I tried harder and LOCKED the door, that would be the next step beyond a “try”… obviously this company didn’t do that.

      “well we don’t know what to say, we haven’t encountered this before.” I said you regulate them correct? She said “yes.” I said, okay what regulations do you have to ensure they protect my information?

      “Well I guess we don’t really have any written out.”

      WTF?

  13. jim says:
    December 3, 2012 at 8:44 pm

    It is nice to hear the comments of Joe and Dakota, I think they both present an approach of common sense. Thanks to both of you for joining in. Please consider a letter or call to your states attorney general. Many Thanks,

  14. jim says:
    December 3, 2012 at 11:46 pm

    Aren’t insurance companies like Nationwide suppose to offset risk for people, not deliver risk to your door?

  15. friend says:
    December 5, 2012 at 9:13 am

    You are protected by federal laws that require these companies to ensure your privacy. GLB and SOX were put in place to protect us from this kind of problem.

    1. admin says:
      December 5, 2012 at 10:12 am

      True, as well as state laws, but as far as I know, there’s no private cause of action under either GLBA or SOX, so only the govt can go after them for any violations, not the consumers.

  16. jim says:
    December 5, 2012 at 10:19 pm

    You boys keep talkin, I am listening, with interest

  17. Little Bit PO says:
    December 7, 2012 at 4:41 pm

    My wife received one of these notification letters and what disturbs me is the scale of information involved (SS#, name, DOB, drivers license number).

    This type of information could be used to completely ruin a person’s credit rating and force them into a decade or even lifelong battle to protect themselves from future fraud. The ‘one year free’ identity theft protection being offered by Nationwide is laughable and doesn’t do nearly enough to protect those hurt by the data breach.

    I think a class action should be filed to, if for no other reason, force Nationwide to providing a lifetime’s identity theft protection service to everyone impacted.

    1. admin says:
      December 7, 2012 at 4:45 pm

      You’re unlikely to get lifetime ID theft coverage. HOWEVER, in other breaches in the past, Connecticut’s Attorney General went after some companies who had been breached and got them to settle the charges by certain terms that included two years’ of ID theft and credit restoration services. If people call their state’s attorney general/consumer protection and complain and ask what the state is doing to help protect consumers better, maybe you’ll get some action. Good luck!

  18. Rose Dunkin says:
    December 7, 2012 at 6:27 pm

    My husband and I both received letters of Mutual of Omaha regarding a loss of personal information. We did sign up for the Equifax fraud alert. Yesterday my husband received an alert that a withdrawl of over 400.00 was taken out of his bank account. He called the bank today, and the bank did not locate the withdrawl. When I was regisering for the Equifax protection I had a gut feeling that this was all a scam. How can Mutural of Omaha only offer one year of credit checks when our data will be out there for a life time. We did try to call Equifax today to discuss the alert. On the phone for over 45 min and could not reach a human voice. How many of these alerts are we going to get? Was on the phone with our bank, insurance agent, we also called the Federal Trade commission. I just have a feeling that it was intentional that our personal information is out there. Mutual of Omaha should be held liable. I am very anscious to use any internet wed site to post my personal information and now someone could be doing this at unlimited intervals.

    1. admin says:
      December 7, 2012 at 8:31 pm

      I’m confused. What does Mutual of Omaha have to do with the Nationwide breach discussed in this thread? Did you get a notification about a different breach or the Nationwide breach?

  19. Rose Dunkin says:
    December 7, 2012 at 9:34 pm

    Sorry letter was from Nationwide vs. Mutual of Omaha. LOL been a long day

    1. admin says:
      December 8, 2012 at 9:35 am

      I understand completely. 🙂

      If Equifax sent an alert and the bank cannot confirm it, I’d be concerned, too. Let me see if I can find out how to reach a human at Equifax.

  20. Joe says:
    December 10, 2012 at 8:09 am

    Admin… I called my state’s attorney general and they were clueless saying “I’m sure nationwide is trying their hardest to find the person who did this… what more can they do?” I said “I now have a lifetime problem, they should pay for it because it was their fault.” They responded back saying “they didn’t give away your info, it was stolen.”

    So I didn’t get anywhere with that 🙁

    1. admin says:
      December 10, 2012 at 8:16 am

      Wow. What state?

      1. Joe says:
        December 10, 2012 at 12:10 pm

        South Dakota… Maybe it was a Friday and the “main person” was off, I’m not sure. Any other results from anyone else?

  21. jim says:
    December 10, 2012 at 10:03 am

    Nationwide insurance has an obligation to “hold “our information safely. In my case, we my wife and I, have not done business with Allied insurance ( a Nationwide company) for about six years. So , how long do these companies “hold ” your info ? Till they lose it all? I am not a computer guy, but an easy way to make social security numbers safe would be to hold names to them in a separate place , how hard is that?

  22. Joe says:
    December 10, 2012 at 12:12 pm

    Jim, that is what they are supposed to do. Have their stuff encrypted meaning codes and in different places. To me, I would think this is negligence on their end and I want my credit watched and protected (financial backup) from Nationwide’s pocket. I wish there was a way to find out more of what I can do.

  23. Joe says:
    December 10, 2012 at 12:32 pm

    I just got through to my “real” attorney general… WAAAY better response now. If you ever do have fraudulent activity, Nationwide is responsible for extending your watch thing to protect you, because the study that was conducted showed if nothing happens to your info within a year or two, chances are it won’t.

    1. Rose Dunkin says:
      December 10, 2012 at 9:08 pm

      If actual activity does occur with our credit being frauded can a case be brought against them? Does Nationwide offer insurance on credit fraud? Any luck getting thru to Equifax? I did contact Social Security and let them know our numbers aer out there. I got an e-mail back that they are invesitgating as well.

  24. Mike Sarnell says:
    December 11, 2012 at 11:32 pm

    You know, the “promotion code” included in the letter makes me think that equifax is using this as an opportunity to sell it’s fraud insurance after the year of “free” runs out.
    Like they’d continue billing your card.

    1. Rose Dunkin says:
      December 12, 2012 at 10:07 am

      That is what I was thinking too

      1. Craig B says:
        December 13, 2012 at 4:43 pm

        I thought so to, but you don’t need to enter any credit card information when using the promo code.

  25. LD says:
    December 13, 2012 at 10:53 am

    I was one of the individuals whose information was compromised. I received a letter dated 11/16, however it was not in my mailbox until December 7th. So while the letters were printed on one date, they mailed on another. Residents of Iowa make up nearly 1/10 of all the people compromised! On top of that they are only offering 1 YEAR of protection, that is hardly a remedy. I sure do hope they resolve this problem and offer their customers something much better than that. I have been a paying customer for many years now. If litigation does happen I wouldnt be upset, not because I want need anything from the company but I want to know that my identity is secure for a long time to come, not just a year!! and if they wont offer the service they can give us the money to get that kind of security. I really hope they do the right thing here, if they have core values and morals within their corporation they will reconsider offering more than one year of protection to their paying customers and to those who didnt even have a policy! (this could because their agent without their knowledge inquired about lower rates, etc, its a darn shame)

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.