AIG Confirms Customer Data Breach

Updated: The insurance giant says the theft of a file server in March may have exposed the account information of close to 1 million individuals.

Insurance provider American International Group has confirmed the theft of a file server and other hardware that held the personal information of approximately 970,000 potential customers.

Company officials said an intruder entered one of its Midwest offices sometime after business hours in late March and walked off with a file server and other equipment, including two laptop computers, that held the data in question. According to the firm, the break-in appeared to target the equipment itself and not the information residing on the machines.

There have been no reported identity thefts or fraudulent activities reported as a result of the break-in thus far, an AIG spokesperson said.

According to the company, the information stored on the stolen machines included the names and Social Security numbers of individuals who had requested insurance quotes from 690 individual brokers located throughout the United States. Roughly 5 percent of the stolen files included information regarding peoples medical records, AIG said.

/zimages/5/28571.gifCorporations could be sued over data breaches if security measures dont improve. Click here to read more.

While the computer theft occurred March 31, AIG spokespeople said the company delayed reporting the situation publicly as part of its efforts to help law enforcement officials track down those who committed the crime. The company did not indicate whether anyone has been arrested as a result of those efforts.

Another reason for the delay, said AIG, was that the file server held more than 100 million pages of text that needed to be carefully examined to figure out exactly whose information might have been exposed.

AIG said it has already begun distributing warning letters to individuals whose information was involved in the theft, and it has also agreed to cover the costs of helping people restore their credit ratings if they are eventually victimized due to the data breach. The insurance company has also set up a phone line and customer support center to help distribute information to people affected by the problem.

The AIG data loss is just the latest in a long string of high-profile incidents in which well-known companies have mishandled customer information. Most recently, the U.S. Department of Veterans Affairs admitted that it had exposed the personal information of up to 26.5 million veterans when a computer was taken from an employees home. Other recent breaches have been reported by a regional office of the YMCA and travel site

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Editors Note: This story was updated to clarify the number of files on the computer.

/zimages/5/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.