Breach notification done right? (Nationwide hack, updated)

I spend a lot of time criticizing breach notifications, so it’s nice when I can occasionally point to a positive example.

Without considering whether the breach could have been prevented, consider this notification letter from Nationwide Insurance, dated November 16:

We want to make you aware that a portion of our computer network was criminally attacked and we believe that the attack compromised some of your information. We are very sorry that this situation has occurred. Protecting the privacy and security of your information is a top priority for us, and we want to assure you that we have taken steps that will prevent this type of attack from happening again. Although we are not aware of any misuse of your information at this time, we want to inform you about the situation and encourage you to take the steps below, including taking advantage of the credit monitoring and identity theft protection product we are providing to you at no charge.

The Incident

On October 3, 2012, a portion of our computer network that is used by Nationwide Insurance agents and Allied Insurance agents was criminally intruded upon by an unidentified criminal perpetrator. We discovered the attack that day, and took immediate steps to contain the intrusion. We believe that we successfully contained the attack through our responsive actions.

We promptly initiated an investigation of the attack and on October 16, 2012, we determined that the criminal perpetrator had likely stolen some personal information from our systems. On November 2, 2012, we received confirmation of the identities and addresses of the individuals whose personal information we believe was compromised. Although we are still investigating the incident, our initial analysis has indicated that the compromised information included your name and [Social Security number, driver’s license number, date of birth] and possibly your marital status, gender, and occupation, and the name and address of your employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack.

You can read the full letter on the California AG site.

I realize that there are some states where notification 6 weeks after the discovery of the incident would violate a timeliness provision in reporting, but overall, they detected the breach quickly, secured it quickly, and within one month, were able to construct a list of affected individuals. Could they have gotten the actual letter out faster than two weeks from confirmation of identities and addresses? Probably, but overall, I’m favorably impressed. Your mileage may vary.

Update of Nov. 30:  I have other blog entries that provide more recent information on this breach that you may wish to see: here and here.

Also, for those of you who cannot understand how/why Nationwide had all your information, the California Department of Insurance is investigating the breach.  At the bottom of their notice they add:

Media Note: The Nationwide affiliates affected in California by the breach include: Nationwide Mutual Insurance Company, Nationwide Insurance Company of America, Allied Property & Casualty Insurance Company, AMCO Insurance Company, Depositors Insurance Company, & Titan Indemnity Company.

Nationwide has also created a web site about the breach.

If you are not satisfied with the response you get, you might try contacting the Dept. of Insurance and tell them your concerns.

About the author: Dissent

46 comments to “Breach notification done right? (Nationwide hack, updated)”

You can leave a reply or Trackback this post.
  1. Kirk - November 20, 2012

    I got the notice, yet have never applied for nor gotten Nationwide insurance; how would they have my personal information in the first place? It directs me to a website but why does it instruct me to enter all my personal information? I think Nationwide could identify me using only the “promotion code” on the letter.

    • admin - November 20, 2012

      Is it possible that you were a family member/beneficiary of someone who was/is covered by Nationwide or Allied?

  2. Alex - November 25, 2012

    I also received the letter. Why does it direct me to enter my personal information. Seems they already have it. Also, like Kirk says… I have no relation with Nationwide. If I find out that Nationwide indeed has my info, and was truly hacked, and if any ill comes of it.. I will be contacting my lawyer. Heck. forget the if ill comes of it. if they have my personal info and it was indeed hacked, i’ll be contacting my lawyer.
    personal info means. SSN, DOB, DL#, CCinfo… etc..
    I do know that my name and address are public info.
    Can’t wait till tomorrow’s phone call.

    • admin - November 25, 2012

      Let us know what they tell you about how they got your info, please.

  3. Joe - November 27, 2012

    I received the same letter even though I have Allied (probably an affiliate) and that is why they had my info. They have everything. There is nothing I can do now to protect myself, I’ve tried so hard my entire life by shredding documents to protect that, and the company can’t even keep it safe???

  4. CL Smith - November 27, 2012

    I recieved the letter and after reading that I had to enter all of my personal info to sign up, I was cautiuos to say the least. I called my local NW ins. office and verified that they were familiar to which they said yes, and directed me to the dept that was handling this. I also, have never had NW ins or Allied Ins, however, they advised that this was very possibly a result of my own insurance agency doing a search for better rates. The information that was “criminally attacked” was any information that was used in this process. And, for those that are not familiar, your credit is run now to determine your insurance rates. The worse your credit is, the highter your insurance can become.
    I have signed up, but have to say.. the criminal that attempts to get credit/car/house etc under my credit will be kicking themselves for being an idiot.

  5. Jim - November 28, 2012

    I live in Missouri and just received the letter. I can’t understand why any company would want to keep sensitive information. I did have a policy through this company, but it has been approximately 1 year since I have used them as an insurance company. I was told that they keep personal information on hand for 7 years.

    • Anonymous - November 30, 2012

      Me too! I cancelled my policy with Nationwide back in June. I am really upset that they failed to protect my personal information. Even more-so because I am not even a customer of theirs anymore. What a headache.

  6. nationwide sucks - November 30, 2012

    My spouse and I have never NEVER used nationwide. However, we both received letters saying our information had been hacked. This kind of stuff is just ridiculous. They should not be allowed to keep that information on file. It should be destroyed. This is rocket science, its good business. I don’t keep my client files. I keep basic information such as a PHONE Number and name, but private information remains private. It would not be hard for companies to make a similar system.

  7. Joe - December 1, 2012

    I wonder if there is a way to start a class action law suit to make them pay for identify security for life!

    • admin - December 1, 2012

      I’ve never seen any lawsuit accomplish that. In fact, any lawsuit against them stands a good chance of failing if the plaintiffs can’t show actual unreimbursed harm.

  8. Mary - December 1, 2012

    I have never had, nor applied for, Nationwide Insurance or Allied Ins. so I don’t understand why my personal information was in their files to begin with. How can they say that they “are not aware of any misuse of your information at this time” in the letter they sent out? How do they know that it wasn’t and won’t be misused? I agree that whoever is responsible for this security breach ought to be sued.

    • admin - December 1, 2012

      I wish you and everyone else who has no idea how Nationwide got their data would call or send registered letters to Nationwide and demand to know how they obtained your data – specifically. Not “We might have gotten it because you…” but an actual accounting of where the data came from. Of course, that’s pretty futile as dollars to donuts, they won’t be able to tell you, but Congress really needs to be made aware of this case as an example of the problems consumers face protecting our information.

      • LadyB - December 1, 2012

        Depending on the state you live in, they may be legally obligated to tell you how, from where or whom, and when they obtained your data. I worked for a company where part of my job was digging in our databases to respond to consumer requests for this information. We extended this service to anyone who called rather than just the states that require it, so I can’t tell you which ones are covered and which ones aren’t.

        • admin - December 1, 2012

          Good to know that some states require such disclosure – I’ll ask around to see if I can find a list – thanks! Can you tell us what state you worked in so we’ll know at least one state that requires it?

          • LadyB - December 2, 2012

            I worked in a Wisconsin office for a company based in New Jersey or Pennsylvania – sorry it’s been a decade or 2. Our customers were from all 50 states, all the US territories, and Canada.

          • admin - December 2, 2012

            I’ll keep checking. So far, no joy but it’s late, I’m tired, and will try again next week.

          • LadyB - December 5, 2012

            Sorry–been out of town for a funeral. The hotel didn’t have internet.

            Just called and spoke to to a live person today. Wisconsin must be one of the states that they have to tell you because both my cousin and I were among the notified. He called Monday and they called him back this morning with the info. I called this morning and have been promised a call by the end of business on Friday. His bank offered him an auto insurance quote that “would be less than what he was paying”. They didn’t bother to mention that they’d be sharing his social with multiple companies. I’m suspecting this is how they got my info too. btw – for both my cousin and I the bank’s rates were 10% MORE than what we were paying at the time. Didn’t ask my cousin who he banks through, but my bank is Wells Fargo…not sure for how much longer.

  9. jim - December 2, 2012

    I am in Omaha, Ne and received ” my ” letter from Nationwide Insurance on Nov29, 57 days after the info was lost. I had done business Peterson Bros Insurance in Omaha,Ne and purchased Allied insurance from them about six years ago. I was assured that my sensitive information was safe , I never dreamed that the company they represented to me would still hold that information six years or so later. I suppose the company in question “keeps” this information so that they can sell it for a profit? But what does that cost us as individuals? Sealing your credit only fixes a small part of a potential problem. What if someone with YOUR identity purchases a car, cable tv, phone service, and that vender fails to check his?/YOUR credit report? Who will they come after??? They are coming after the guy with your social security number, your drivers license number,your address, your phone number, and they want their money, and they will not leave you alone till you pay up. Check your mail lately? Did Nationwide send a letter here that deserves praise? You be the judge

    • admin - December 2, 2012

      As I pointed out, my comments weren’t addressing whether the breach or data loss could have been prevented. I was only commenting on the written communication about the breach and whether it provided sufficient info on the incident and support. Your questions are good ones, though.

  10. jim - December 2, 2012

    Ok, It was a nicely written letter. But let’s us think about the reality of identity theft. Watching your credit via the credit bureau can’t be too hard, although you do have to renew it ever 90 days. And having support for a year fending off bill collectors could surely help. But, what happens after a year? Identity thief can potentially last a lifetime. Your identity can be sold , and later, sold again, and again, people at different places can keep showing up as YOU. Long periods of time pass and one may think ” thank God it’s over ” only to have it start up again. This letter tells me that I will be looking over my shoulder for the rest of my life. Those numbers are ME! They are my name. It is the family name that my father and his father before him worked hard to be proud of. And it is the name of my son. The thought of a dishonest person or persons using my family name to lie, steal, and cheap honest folks hurts me to my very core. Ok, it was a nicely written letter. But I hope my son does not get one, he is still insured with Allied.

  11. Joe - December 3, 2012

    I agree with you guys, especially Jim. This is a lifer… When talking to the insurance company they said “we are giving you one year free!” I said…

    “If the hacker is smart enough to hack YOUR ‘secure’ system, then they are smart enough to know the offer you are giving everyone one year. They are smart enough to wait a year to use it or sell it. This isn’t something that goes away or involve numbers I can change. My SSN and name are permanent… I have to watch this for the rest of my life, one year is not enough!”
    This really pisses me off knowing that they MADE me give them this info. not to mention the fact that they have the “right” to have your info and sell/give it to “partners” to “help provide better services.”

  12. Dakota - December 3, 2012

    Why the heck was this information not encrypted? Network/Internet Security 101 stresses NOT to put SS#, DOB, Names, addresses in the same file. Just for the reason if someone hacks in they get at least encrypted SS#s with no other personal information! Why would any company put client information in a potential storage location that was not encrypted!?!?

    • Joe - December 4, 2012

      When explaining this to my state’s department of agency they said “well they tried, so why should they be responsible?”
      I said, I can say I closed my front house door, and get robbed and tell the insurance company “I tried to secure my house by shutting my door” and that wouldn’t be acceptable even though it was a “try”. I said, if I tried harder and LOCKED the door, that would be the next step beyond a “try”… obviously this company didn’t do that.

      “well we don’t know what to say, we haven’t encountered this before.” I said you regulate them correct? She said “yes.” I said, okay what regulations do you have to ensure they protect my information?

      “Well I guess we don’t really have any written out.”


  13. jim - December 3, 2012

    It is nice to hear the comments of Joe and Dakota, I think they both present an approach of common sense. Thanks to both of you for joining in. Please consider a letter or call to your states attorney general. Many Thanks,

  14. jim - December 3, 2012

    Aren’t insurance companies like Nationwide suppose to offset risk for people, not deliver risk to your door?

  15. friend - December 5, 2012

    You are protected by federal laws that require these companies to ensure your privacy. GLB and SOX were put in place to protect us from this kind of problem.

    • admin - December 5, 2012

      True, as well as state laws, but as far as I know, there’s no private cause of action under either GLBA or SOX, so only the govt can go after them for any violations, not the consumers.

  16. jim - December 5, 2012

    You boys keep talkin, I am listening, with interest

  17. Little Bit PO - December 7, 2012

    My wife received one of these notification letters and what disturbs me is the scale of information involved (SS#, name, DOB, drivers license number).

    This type of information could be used to completely ruin a person’s credit rating and force them into a decade or even lifelong battle to protect themselves from future fraud. The ‘one year free’ identity theft protection being offered by Nationwide is laughable and doesn’t do nearly enough to protect those hurt by the data breach.

    I think a class action should be filed to, if for no other reason, force Nationwide to providing a lifetime’s identity theft protection service to everyone impacted.

    • admin - December 7, 2012

      You’re unlikely to get lifetime ID theft coverage. HOWEVER, in other breaches in the past, Connecticut’s Attorney General went after some companies who had been breached and got them to settle the charges by certain terms that included two years’ of ID theft and credit restoration services. If people call their state’s attorney general/consumer protection and complain and ask what the state is doing to help protect consumers better, maybe you’ll get some action. Good luck!

  18. Rose Dunkin - December 7, 2012

    My husband and I both received letters of Mutual of Omaha regarding a loss of personal information. We did sign up for the Equifax fraud alert. Yesterday my husband received an alert that a withdrawl of over 400.00 was taken out of his bank account. He called the bank today, and the bank did not locate the withdrawl. When I was regisering for the Equifax protection I had a gut feeling that this was all a scam. How can Mutural of Omaha only offer one year of credit checks when our data will be out there for a life time. We did try to call Equifax today to discuss the alert. On the phone for over 45 min and could not reach a human voice. How many of these alerts are we going to get? Was on the phone with our bank, insurance agent, we also called the Federal Trade commission. I just have a feeling that it was intentional that our personal information is out there. Mutual of Omaha should be held liable. I am very anscious to use any internet wed site to post my personal information and now someone could be doing this at unlimited intervals.

    • admin - December 7, 2012

      I’m confused. What does Mutual of Omaha have to do with the Nationwide breach discussed in this thread? Did you get a notification about a different breach or the Nationwide breach?

  19. Rose Dunkin - December 7, 2012

    Sorry letter was from Nationwide vs. Mutual of Omaha. LOL been a long day

    • admin - December 8, 2012

      I understand completely. 🙂

      If Equifax sent an alert and the bank cannot confirm it, I’d be concerned, too. Let me see if I can find out how to reach a human at Equifax.

  20. Joe - December 10, 2012

    Admin… I called my state’s attorney general and they were clueless saying “I’m sure nationwide is trying their hardest to find the person who did this… what more can they do?” I said “I now have a lifetime problem, they should pay for it because it was their fault.” They responded back saying “they didn’t give away your info, it was stolen.”

    So I didn’t get anywhere with that 🙁

    • admin - December 10, 2012

      Wow. What state?

      • Joe - December 10, 2012

        South Dakota… Maybe it was a Friday and the “main person” was off, I’m not sure. Any other results from anyone else?

  21. jim - December 10, 2012

    Nationwide insurance has an obligation to “hold “our information safely. In my case, we my wife and I, have not done business with Allied insurance ( a Nationwide company) for about six years. So , how long do these companies “hold ” your info ? Till they lose it all? I am not a computer guy, but an easy way to make social security numbers safe would be to hold names to them in a separate place , how hard is that?

  22. Joe - December 10, 2012

    Jim, that is what they are supposed to do. Have their stuff encrypted meaning codes and in different places. To me, I would think this is negligence on their end and I want my credit watched and protected (financial backup) from Nationwide’s pocket. I wish there was a way to find out more of what I can do.

  23. Joe - December 10, 2012

    I just got through to my “real” attorney general… WAAAY better response now. If you ever do have fraudulent activity, Nationwide is responsible for extending your watch thing to protect you, because the study that was conducted showed if nothing happens to your info within a year or two, chances are it won’t.

    • Rose Dunkin - December 10, 2012

      If actual activity does occur with our credit being frauded can a case be brought against them? Does Nationwide offer insurance on credit fraud? Any luck getting thru to Equifax? I did contact Social Security and let them know our numbers aer out there. I got an e-mail back that they are invesitgating as well.

  24. Mike Sarnell - December 11, 2012

    You know, the “promotion code” included in the letter makes me think that equifax is using this as an opportunity to sell it’s fraud insurance after the year of “free” runs out.
    Like they’d continue billing your card.

    • Rose Dunkin - December 12, 2012

      That is what I was thinking too

      • Craig B - December 13, 2012

        I thought so to, but you don’t need to enter any credit card information when using the promo code.

  25. LD - December 13, 2012

    I was one of the individuals whose information was compromised. I received a letter dated 11/16, however it was not in my mailbox until December 7th. So while the letters were printed on one date, they mailed on another. Residents of Iowa make up nearly 1/10 of all the people compromised! On top of that they are only offering 1 YEAR of protection, that is hardly a remedy. I sure do hope they resolve this problem and offer their customers something much better than that. I have been a paying customer for many years now. If litigation does happen I wouldnt be upset, not because I want need anything from the company but I want to know that my identity is secure for a long time to come, not just a year!! and if they wont offer the service they can give us the money to get that kind of security. I really hope they do the right thing here, if they have core values and morals within their corporation they will reconsider offering more than one year of protection to their paying customers and to those who didnt even have a policy! (this could because their agent without their knowledge inquired about lower rates, etc, its a darn shame)

Comments are closed.