International insurance group AIG, which claims to be the world leader in property & casualty and life insurance, recently had to notify over 930,000 of its customers of another kind of risk -- the possibility of identity theft after a file server containing sensitive personal data was stolen.
Details are sketchy about the theft, but according to AIG spokespeople, a burglar broke into an AIG office in an undisclosed Midwestern city on March 31st and made off with the server.
AIG spokesman Chris Winans claimed that the burglar could not have had knowledge of what he was stealing, and that the company did not immediately disclose the theft to avoid tipping him off.
Winans did not provide any explanation of why, in his opinion, the thief would not have known what data was on the server.
The file server contained such data as names, addresses, and Social Security numbers. According to Winans, the data was provided by third-party brokers who contacted AIG looking for quotes on excess insurance coverage provided by employers.
"One of the things we would say is that brokers were bringing us information that we didn't need to provide a quote," Winans said in a statement. "We don't need names and Social Security numbers. We just needed statistical information about claims."
Winans admitted that the information, though password-protected, should never have been on the file server in the first place.
AIG later stated it would cover the cost of "restoration services" for those affected by the theft. The firm stated it was setting up a call center for affected customers, and was mailing notification letters this week.
Ironically, one of AIG's offerings is individual and group insurance coverage against identity theft and fraud. The company's Personal Identity Coverage and Fraud Safeguard products are designed to provide "expert assistance and financial relief to victims of identity theft.
The company's press material boasts: "Personal information such as a social security number or credit card number can be compromised in seconds, leaving you to unravel the financial mess that identity thieves create Regardless of how cautious or prudent you may be, the threat to your [assets] has never been greater."
Although the data was on a file server, the theft bears a strong resemblance to the epidemic of laptop thefts plaguing government and business in recent months, wherein employees either fail to properly secure data from theft or "lose" devices carrying the data.
(/news04/2006/03/laptop_thefts.html)Employees or customers of Verizon, Ernst & Young, Aetna and, most recently, the Veterans Administration have all been put at risk for identity theft or fraud due to the loss of their personal information.
In virtually all of these cases, there has been a "lag" of weeks or months between the discovery of the theft and the notification of the public, and the standard response seems to be to offer a free "credit monitoring service," and leave it at that.
