Now more information has emerged following the publication of two particular documents: an onsite notice from Nationwide, and a statement from the Iowa Department of Justice. The former describes the incident. It happened on 3 October. “We discovered the attack that day, and took immediate steps to contain the intrusion,” says Nationwide. By 16 October Nationwide knew that data had likely been stolen; and on 2 November it knew the names of those compromised. On 16 November it started writing to those people (on 17 November the DataBreaches website commented favorably on the content of the notification letters); and on Wednesday 5 December Nationwide posted its online notice.
The Nationwide notice says, “our initial analysis has indicated that the compromised information included certain individuals’ name and Social Security number, driver’s license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer.” What it doesn’t anywhere say is how many people were compromised nor whether the data was encrypted, hashed or in plain text. VentureBeat reports that the company suspects that the attack “came from outside the United States.” If this is the case, then the data is almost certainly now held outside of the United States, and is a potential gold mine of information for targeted and social engineering attacks.
Commenting on the DataBreaches report, ‘Kirk’ says, “I got the notice [the letter], yet have never applied for nor gotten Nationwide insurance; how would they have my personal information in the first place?”
It is the statement from the Iowa Department of Justice that goes some way to explain – also providing numbers, but still not mentioning encryption. This notice quotes Attorney General Tom Miller: “Many Iowans are probably confused about how they could have gotten caught up in this massive data breach,” Miller said. “That’s because sometime over the last year or so someone may have sought a competitive insurance quote through a company or third party agent, and that agent may have obtained quotes from several companies, including Nationwide, on their behalf. In fact, they may not have even realized the agent checked with Nationwide,” Miller added. “To get that quote, the agent provided the consumer’s personal information to Nationwide, and that’s what we now know has been stolen.”
The data breach affects approximately 1.1 million people nationally, according to the North Carolina Attorney General – 91,000 in Iowa.
In terms of data protection and privacy, Nationwide clearly has some questions to answer. Although it discovered and stopped the intrusion on the same day, it doesn’t say when the intrusion commenced. Nor does it say whether the data was encrypted. And finally, it may have to justify a delay of about seven weeks between discovery and notifying victims.