Insurance giant Aviva has been forced to apologize to customers after an employee sold confidential information on motor accident claims to third party firms.
Aviva is now contacting thousands of motorists who had accidents in 2013 and 2014 and are thought to have been affected by the internal data breach.
The employee in question has been fired and the police, Financial Conduct Authority and data protection watchdog the Information Commissioner’s Office (ICO) have all been informed, according to the BBC.
One Aviva customer told the Beeb that after she settled an insurance claim following a 2013 car accident, she began to receive nuisance calls on her mobile from personal injury claims firm—sometimes up to 10 times a day.
The British insurer claimed no sensitive personal information, such as financial or medical details, was disclosed in the breach.
The letter sent by Aviva to its customers recently had the following:
"I am writing to make you aware that Aviva has identified that information about a motor claim which you were involved in may have been accessed and passed to a third party without Aviva's consent. We have dismissed the employee concerned and reported this to the police and the Financial Conduct Authority."
The wording of the letter is said to be very similar to that of a missive sent by Aviva two years ago after tens of thousands of customers had their data sold to third parties by an employee.
Luke Brown, EMEA general manager of Digital Guardian, argued that spotting insider threats can be difficult, especially as the individual responsible often has legitimate access to sensitive data.
“There are numerous technologies out there designed to combat insider threats, and small investments can go a long way. Deploying data-aware cybersecurity solutions removes the risk factor associated with disgruntled employees and insider threats because even if someone has access to the data, they are prevented from copying, moving or deleting it without approval,” he explained.
“Aviva is just the latest target of an insider breach, but it certainly won’t be the last.”