Security Experts:

At Least 28,000 Affected In Breach At Nationwide Insurance

Nationwide may not be on your side, at least when it comes to press containment and incident response. According to a letter from the insurance company recently delivered to customers, the firm is cleaning up after a nasty data breach. However, they’re not disclosing the full scale and scope of the breach itself in order to prevent panic, a Nationwide Mutual spokesperson has stated.

In a letter sent to clients, confirmed by state officials in California and Georgia, it was disclosed that on October 3, 2012, a portion of the computer network used by Nationwide and Allied Insurance agents was successfully compromised by an outside source. The attack was discovered that day, and the company’s incident response plans were placed into action.

On October 16 (thirteen days later), Nationwide ascertained that the attacker had stolen data from the network, and then on November 2 (seventeen days later) they stolen information was confirmed by the company. In statements to the press and various local media, Nationwide has not explained the gap in their investigation – nor have they explained why the security incident was disclosed 33-days after the fact.

“Although we are still investigating the incident, our initial analysis has indicated that the compromised information included your name and [Social Security number, driver’s license number, date of birth] and possibly your marital status, gender, and occupation, and the name and address of your employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack,” a notice to Nationwide customers explains.

Nationwide will not say how many customers were impacted by the breach, but at least 28,000 customers in Georgia were expected to get a letter. This is important to note, because that total comes from Georgia’s state Insurance Commissioner’s office – and likely represents the grand total of Nationwide’s clients and applicants in the state.

Elizabeth Christopher Giannetti, a Nationwide Mutual spokesperson, told The Atlanta Journal-Constitution that only affected customers are being notified by the company. She declined to comment on the scope of the breach, saying that the company wished to avoid alarming customers who were not affected.

Since the breach impacts customers and those who applied to be customers, the total number of impacted customers is expected to be massive. The company is offering a year of credit monitoring and protection to those impacted by the breach.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.