Technorati Tag: Security Breach
Date Reported:
2/8/08
Organization:
Administrative Systems, Inc. (ASI)*
*ASI is a licensed third party administrator that provides certain administrative services on behalf of its clients, which include insurance companies and other financial services companies. These services often include processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions.
Contractor/Consultant/Branch:
None
Victims:
Customers of various ASI partner companies**
** Lists of companies in " Strategic Partnerships" and forms.
Number Affected:
Unknown
Types of Data:
Name, dates of birth, mailing addresses, and Social Security numbers
Breach Description:
On December 29th, 2008, a desktop computer was stolen from the Seattle offices of Administrative Systems, Inc. ("ASI") that contained a database of sensitive personal information belonging to customers of the company's clients.
Reference URL:
Administrative Systems, Inc. official notice to victims
PogoWasRight.org Story
Report Credit:
Administrative Systems, Inc., with a special thanks to PogoWasRight.org
Response:
From the online sources cited above:
A desktop computer stolen from an Administrative Systems, Inc. (ASI) office in Seattle on December 29th contained names and sensitive information about customers or employees of several of the firm's clients: Continental American Medical, EyeMed Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental.
ASI is a licensed third party administrator that provides certain administrative services on behalf of its clients, which include insurance companies and other financial services companies. These services often include processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions.
[Evan] Sheesh, this is some very sensitive information. There is no mention in the notification or the Administrative Systems, Inc. web site about what is done to protect this information.
personal information about customers including name, date of birth, mailing address, social security number (“sensitive information”). The information did not include credit card information or driver’s license numbers.
We are writing to notify you of this incident and to assure you that we take this matter seriously and are taking steps designed to minimize the likelihood of such an event occurring in the future.
[Evan] What specifically is being done?
We have tightened our security measures to provide greater protection for the information we maintain and are working closely with local authorities to minimize future risks.
[Evan] Again, no specifics.
The Seattle Police Department is investigating this incident and ASI is cooperating fully with this investigation.
We suggest that you remain vigilant over the next twelve to twenty-four months by reviewing your financial account statements and monitoring your credit reports to minimize your potential risk of identity theft or fraud.
[Evan] The onus is on the data custodian to protect the information according to what is expected by the data owner. The victims can remain vigilant, but what if data custodians are not? Take your business elsewhere?
ASI sincerely regrets any inconvenience this incident may cause you. We know our clients value your trust and confidence and we remain committed to ensuring the security of your personal information. If you have questions for ASI regarding this incident, please call toll free 1-866-614-9454. We will be available Monday through Friday from 8 am to 8 pm Eastern time.
In its notification letter, ASI did not indicate whether the data were encrypted nor why it took over a month for individuals to be notified of the theft
Commentary:
This is a very unfortunate breach. I assume that many of the victims do not even know who ASI is or how they came into the possession of their information. If I received one of the notifications from ASI, I would have more questions than answers and I would be frustrated. As customers of companies, we provide certain personal information. We trust that the companies we do business with will see to it that our information is adequately protected. In this instance, information was passed on to a third-party and that third-party did not do what they should have done to protect personal information.
There is no mention of any existing controls or what controls ASI plans to evaluate to further strengthen their information security and reduce risk. Victims and customers are left in the dark. One can only assume what type of physical controls were in place to protect against the physical theft or what technological controls were in place to protect against compromised confidentiality. Your guess is as good as mine.
Past Breaches:
Unknown
Date Reported: 2/8/08
Organization:
Administrative Systems, Inc. (ASI)*
*ASI is a licensed third party administrator that provides certain administrative services on behalf of its clients, which include insurance companies and other financial services companies. These services often include processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions.
Contractor/Consultant/Branch:
None
Victims:
Customers of various ASI partner companies**
** Lists of companies in " Strategic Partnerships" and forms.
Number Affected:
Unknown
Types of Data:
Name, dates of birth, mailing addresses, and Social Security numbers
Breach Description:
On December 29th, 2008, a desktop computer was stolen from the Seattle offices of Administrative Systems, Inc. ("ASI") that contained a database of sensitive personal information belonging to customers of the company's clients.
Reference URL:
Administrative Systems, Inc. official notice to victims
PogoWasRight.org Story
Report Credit:
Administrative Systems, Inc., with a special thanks to PogoWasRight.org
Response:
From the online sources cited above:
A desktop computer stolen from an Administrative Systems, Inc. (ASI) office in Seattle on December 29th contained names and sensitive information about customers or employees of several of the firm's clients: Continental American Medical, EyeMed Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental.
ASI is a licensed third party administrator that provides certain administrative services on behalf of its clients, which include insurance companies and other financial services companies. These services often include processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions.
[Evan] Sheesh, this is some very sensitive information. There is no mention in the notification or the Administrative Systems, Inc. web site about what is done to protect this information.
personal information about customers including name, date of birth, mailing address, social security number (“sensitive information”). The information did not include credit card information or driver’s license numbers.
We are writing to notify you of this incident and to assure you that we take this matter seriously and are taking steps designed to minimize the likelihood of such an event occurring in the future.
[Evan] What specifically is being done?
We have tightened our security measures to provide greater protection for the information we maintain and are working closely with local authorities to minimize future risks.
[Evan] Again, no specifics.
The Seattle Police Department is investigating this incident and ASI is cooperating fully with this investigation.
We suggest that you remain vigilant over the next twelve to twenty-four months by reviewing your financial account statements and monitoring your credit reports to minimize your potential risk of identity theft or fraud.
[Evan] The onus is on the data custodian to protect the information according to what is expected by the data owner. The victims can remain vigilant, but what if data custodians are not? Take your business elsewhere?
ASI sincerely regrets any inconvenience this incident may cause you. We know our clients value your trust and confidence and we remain committed to ensuring the security of your personal information. If you have questions for ASI regarding this incident, please call toll free 1-866-614-9454. We will be available Monday through Friday from 8 am to 8 pm Eastern time.
In its notification letter, ASI did not indicate whether the data were encrypted nor why it took over a month for individuals to be notified of the theft
Commentary:
This is a very unfortunate breach. I assume that many of the victims do not even know who ASI is or how they came into the possession of their information. If I received one of the notifications from ASI, I would have more questions than answers and I would be frustrated. As customers of companies, we provide certain personal information. We trust that the companies we do business with will see to it that our information is adequately protected. In this instance, information was passed on to a third-party and that third-party did not do what they should have done to protect personal information.
There is no mention of any existing controls or what controls ASI plans to evaluate to further strengthen their information security and reduce risk. Victims and customers are left in the dark. One can only assume what type of physical controls were in place to protect against the physical theft or what technological controls were in place to protect against compromised confidentiality. Your guess is as good as mine.
Past Breaches:
Unknown
