The Variable Annuity Life Insurance Company (VALIC) is notifying customers of what appears to be an old security lapse. In a letter template submitted yesterday to the California Attorney General, the firm writes:
It recently came to our attention that a financial advisor formerly associated with VALIC was in possession of information relating to some of our customers including you. This included customer names and either partial or complete Social Security numbers. There is no indication that your information has been misused.
Given that the financial advisor left VALIC in October of 2007, I’m curious as to how this first came to their attention now. Did the financial advisor suddenly discover it on their hard drive, or if not, how did VALIC learn of it? (see below for update)
Those notified were offered a year of free credit monitoring services.
Update: The breach was also reported to Maryland with a cover letter to the state’s Attorney General that provides additional details. In their submission to that state, they reported that 774,723 were affected nationwide and that on October 29, 2013, law enforcement gave them a thumb drive with their customer data obtained during an execution of a search warrant on the former financial advisor.
In digging into this more, it seems that VALIC first reported this breach to Maryland’s Attorney General in February 2013. According to their report, they first became aware of a problem back in September 2012, when they were contacted by a customer who had been contacted by the former advisor, who was still in possession of their Social Security numbers and information. On January 14, they learned that the former advisor was likely the one trying to gain access to client account information by creating userids and profiles to access accounts. As a result, VALIC notified some clients when they found evidence that someone had created a userid and profile to view the client’s account on valic.com – or had tried unsuccessfully to do so. Those notification letters did not happen to mention that the unauthorized individual was likely a former financial advisor.
The former financial advisor was arrested in September, 2013. VALIC reports it took them from October 29 until November 12 to complete their preliminary investigation and then a few more weeks to identify individuals who needed to be notified and their current contact information. There is no explanation as to why it took from the beginning of December 2013 until the end of February 2014 to actually send the notification letters.
the only people in our corporation I have found that even recieved a letter of security breach was another colleague who retired. As far a I know, no one currently employed has been notified. I am sure they don’t want their current clients to panic, but everyone invested in this corrupt company should be notified…