cybersecurity GEICO Third Party Data Leak Impacts 40000 employees, Could Your Data Be Next?

[Spoon1998]

Summary

GEICO the second largest auto insurer in the united states, recently announced a third party data leak that has effected its 40,000 employees. The company notified employees that the MOVEit system was compromised "outside of GEICO's internal systems". GEICO uses MOVEit to send data via API to Delta Dental, Cinigia, and many other companies for employee benefits. Several employees have come forward saying that personal information such as Social Security Numbers, Address, Phone, Email, and Address have been found from credit searches on the Dark Web. 

 

Several individuals in the r/geico subreddit have claimed that GEICO neglected to protect the data in transit. The company has advised employees to freeze credit. 

 

Quotes

Quote

"We were recently made aware of a security issue involving MOVEit, a popular outside software program GEICO and many other businesses use to transfer data to third party vendors. We immediately implemented measures to address the issue and at this time, we have no indication that any compromises have accrued in GEICO systems. Our Cyber security team has been in close contact with outside vendors who also use this data transfer software and are closely monitoring with our partners to find out if any data they have from GEICO has been compromised, we will work to ensure they are sending out proper notification. Out of an abundance of caution, we recommend associates take action to prevent bad actors from attempting to use their personal information. One way to protect your personal information is by freezing your credit". 

 

My thoughts

This raises several questions about data security in the industry.

1. Does this matter? In todays age 1 in 4 people will have some kind of identity theft happen. Is it reasonable to assume that all data is already compromised, if so should a company be held responsible at all? 
2. Is a company responsible for ensuring the partners they share data with are following proper security standards? Should GEICO be held responsible for sharing employee data with a company not following proper standards?
3. What rights/say should employees have when it comes to who a company shares data with? If a data is compromised in anyway, should employees be able to sue an employer for compensation? 
4. Lets talk about the complexity for an individual maintaining their data, GEICO employees need to go through three different credit monitoring services and freeze accounts, what about SSN and other information. Who is responsible for ensuring that individuals have the tools to protect their own data. 

 

Sources

• r/GEICO reddit
• Current GEICO Employees
• Experian Monitoring Report

 

 

[StDragon]

 

[williamcll]

So that means other users of MOVEit are also comprimised?

[orbitalbuzzsaw]

Obviously concerning but at this point 40k affected by a data breach is fairly unimpressive as these things go. The bigger concern is about MoveIt as a whole, since the potential this attack could be used against other customers if not patched quickly is obviously worrying

[Donut417]

9 hours ago, Spoon1998 said:

Does this matter? In todays age 1 in 4 people will have some kind of identity theft happen. Is it reasonable to assume that all data is already compromised, if so should a company be held responsible at all? 

Honestly the best thing for everyone to do is put a credit freeze in at all the credit bureaus. This prevents shit from being opened in your name. Prevents credit reports from being ran by 3rd parties, as long as you dont already do business with them. This is what I did after Equifax leaked my info. Another thing to consider is that Equifax did leak like 50% of the Social Security numbers in the US, so......... at least half the country was compromised. Personally I think its time that the "Social Security numbers" stop being used as an identity, we need a better system. 

[EllieCat]

1 hour ago, Donut417 said:

Honestly the best thing for everyone to do is put a credit freeze in at all the credit bureaus. This prevents shit from being opened in your name. Prevents credit reports from being ran by 3rd parties, as long as you dont already do business with them. This is what I did after Equifax leaked my info. Another thing to consider is that Equifax did leak like 50% of the Social Security numbers in the US, so......... at least half the country was compromised. Personally I think its time that the "Social Security numbers" stop being used as an identity, we need a better system. 

But since there is o “new” system to replace the Social Security Numbers system, then wouldn’t the employees be subject to identity fraud?

[Donut417]

2 minutes ago, EllieCat said:

But since there is o “new” system to replace the Social Security Numbers system, then wouldn’t the employees be subject to identity fraud?

To an extent. If people are smart like me they have their credit frozen. Which makes it harder to do things for both a criminal and for the person itself. 

[EllieCat]

6 hours ago, Donut417 said:

To an extent. If people are smart like me they have their credit frozen. Which makes it harder to do things for both a criminal and for the person itself. 

What happens if they don’t freeze their credit? Also, can’t they just get a new credit card?

[Donut417]

2 hours ago, EllieCat said:

What happens if they don’t freeze their credit? Also, can’t they just get a new credit card?

A credit freeze prevents companies who you haven't done business with from running a credit report, which is needed to open any type of accounts and such. So if you dont freeze it and they get your social security number and have your name and a few details which are easy to find they can open all kinds of accounts in your name.