[Dataloss] Sentry Insurance Says Customer Data Stolen

George Toft george at myitaz.com
Sun Jul 30 14:15:18 EDT 2006


At this point, I would like to point out that Wisconsin has a weak 
Identity Theft protection/reporting law (might not even be law yet). 
Per Consumers Union 
(www.consumersunion.org/campaigns/Breach_laws_May05.pdf), Wisconsin has 
a bill SB164: "The entity need only provide notice if it knows that 
personal information has been acquired by an unauthorized person. And 
there is a material risk of identity theft or fraud."  Well, the risk 
has been realized.

And we have an insurance company [bound to comply with the 
Gramm-Leach-Bliley Act and SOX 404, so they should have had adequate 
security measures in place to prevent this incident - separation of duty 
(legal requirement) and not using live data in development (best 
practice)] who chooses not to report the breach until 72 people's 
information is sold over the Internet.  They chose to keep it quiet and 
not tell anyone because there was no requirement to notify anyone of the 
breach.  Reading between the lines in the article, it looks like the 
Secret Service was on top of the event before Sentry Insurance.  I 
wonder how soon the class-action lawsuit will be filed.

As this incident demonstrates, failure to disclose data loss events 
leads to identity theft.  Disclosure seems to have a positive 
[short-term] effect on preventing ID Theft.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.


lyger wrote:
> Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/
> 
> http://www.mercurynews.com/mld/mercurynews/business/technology/15153907.htm
> 
> Personal information on 72 worker's compensation claimants was stolen
> from Sentry Insurance and later sold over the Internet, the company said.
> 
> The data sold included names and Social Security numbers but not
> medical records, Sentry said. Data on an additional 112,198 claimants
> was also stolen but there is no evidence it was sold, the company said.
> 
> Sentry said it notified everyone affected and was providing credit
> monitoring services to help prevent fraud.
> 
> [...]
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/errata/dataloss/
> 
> 
> 


More information about the Dataloss mailing list