Nationwide Mutual Insurance and its subsidiary Allied Property and Casualty Insurance just settled with 33 states for $5.5 million dollars that came about from a 2012 multi-state data breach. The settlement will be used to cover the costs of litigation, the investigation and consumer protection law enforcement, data security improvement, and other fees.
Nationwide's data breach occurred in September 2012
In September 2012, cybercriminals hacked Nationwide's system. The criminals stoled personal data from 1.27 million clients. Some of the affected customers were Nationwide's customers, but perhaps the most disturbing fact about the breach is that some of the affected individuals were only obtaining quotes from Nationwide, yet their data was still stored. The stolen data included social security numbers, driver licenses, and credit scores. The hackers gained access to the system by leveraging a flaw in a third-party application.
The data breach could have been preventedUnfortunately for Nationwide's affected customers, this entire breach could have been avoided. The third-party vendor used by Nationwide released a patch for this cybsercurity vulnerability three years prior to the incident. Nationwide failed to apply the patch and instead waited until after the breach to fix the flaw. The investigation that followed was led by the attorney generals for Washington D.C., New York, Florida, Maryland and Connecticut.
Nationwide's costly data breach settlement
In addition to paying a fine of $5.5 million dollars, the settlement requires Nationwide to update its security practices to ensure patches are applied in a timely manner. Moreover, the company is required to hire a Technology Officer tasked with monitoring and managing software and security updates. The technology officer will also supervise employees responsible for evaluating and coordinating maintenance, management and application of security patches. Over the next three years, Nationwide must update its policies for how personal data is stored, conduct regular inventories of patches and updates, maintain and use tools to monitor the state of security for its systems, and perform internal assessments of patch management practices. Nationwide will also need to hire a third-party vendor to perform an annual audit of its practices for collecting and storing personal information.