International SOS is notifying travelers of a data security breach.
“On August 28, 2013, it was confirmed that some of our data files containing personal information were potentially unlawfully accessed. The data accessed includes a limited amount of personal information. This may have included your name, passport number, and in a limited number of cases, social security number,” an e-mail sent to those affected reads.
The e-mail does not state when the breach occurred, but additional information on California’s breach list indicates that it occurred August 24.
Those affected have been offered free services through CSID.
Of note, perhaps, the e-mail says, “This notification is being sent to affected travelers. (If you as the recipient are a travel/booking agent or personal assistant, please forward this email to the traveler named above).” Are travel/booking agents or personal assistants legally responsible/required to forward breach notifications? Has International SOS met its notification obligations if it does not ensure that those affected have been notified? Anyone know?
Update: The breach affected 95,000 people, according to the firm’s report to New Hampshire.
Update: The breach was also reported to Maryland.