A Million Identities Stolen From Two Financial Services FirmsA Million Identities Stolen From Two Financial Services Firms

The thefts of personal data on nearly a million people have been revealed in the last two days, in one case from a server collecting insurance-proposal information over the Internet. But the actual loss of data took place the old fashioned way—by a burglar breaking in to locked premises and carrying off the computers. Consequently, police and insurance officials hope the physical hardware was the target, not the data. Those whose data was lost in the theft are being notified by letter this week.

American International Group Inc. of New York, one of the world's largest insurance companies, said a break-in at an unspecified Midwest regional office resulted in the loss of two laptops and a server. The server contained information on 970,000 employees at several hundred companies, information that had been collected by brokers and aggregated on one computer in order to solicit a quote from AIG, according to AIG spokesman.

The break-in occurred in March but has not been disclosed until recently in hopes of avoiding notifying the burglar of the valuable data on the server. The data was protected by an application that requires a user name and password to access it. If the server has been fenced or sold to an intermediary, the drive most likely has been erased and written over for reuse by its new owner, company officials say. But no one knows for sure.

"The burglar took a camera and a music CD as well as the computers," which lead police to believe it was a theft that had not targeted at the personal data, said Christian Murray, AIG spokesman, in an interview.

"So far, we are not aware of any misuse of personal data," said Murray. The firm is getting ready to send out notices to the individuals whose data was stolen. The data included Social Security numbers, "and in a few cases, personal medical information," since the brokers were seeking a quote from AIG on "excess medical" coverage, or coverage for employees who need insurance beyond the limits allowed by most health plans.

"We have asked brokers not to submit Social Security numbers any more with personal identities for quote purposes," said Murray. AIG, which does not employ its own agents, relies on brokers to aggregate business and submit it for a quote.

A full description of how the data came to be concentrated one server wasn't available, but Murray said 690 brokers had collected it from many employers in the U.S. and submitted it to the AIG regional office. A company spokesman couldn't describe what process was used to collect the data. But the aggregation of many identities on a single server reflects the increased use of the Internet and streamlined business processes commonly found in the insurance industry to make the quote process more efficient. AIG moved control of its technology subsidiary, AIG Technologies Inc., under the corporate headquarters CIO last year.

In another case, the laptop of an ING U.S. Financial Services agent was stolen in home burglary. It contained the Social Security numbers and other personal data of 13,000 retirees and employees of the District of Columbia, participants in ING's 457 Deferred Compensation Plan for the district. The information was not protected by password or encryption.

"This is an unfortunate situation and we regret that it has occurred," said Brian Comer, president of ING Life Insurance and Annuity Co.

Like AIG, ING said the theft appeared aimed at the value of the hardware, not the personal data, since several personal possessions were stolen along with the computer. Nevertheless, Comer said, "We take this very seriously."

ING is notifying the affected individuals that their data has been stolen. It will monitor use of credit and possible fraudulent use of identity information for 12 months through Equifax, a credit risk analysis firm. Comer said ING has a review underway to ensure that ING laptops use encryption and password protection in the future.