Nationwide Mutual Insurance agrees to massive £4 million settlement for data breach that exposed data belonging to 1.27 million people

Insurance and financial services giant Nationwide Mutual Insurance has agreed to pay out around £4 million to settle a colossal data breach that reportedly exposed personal data belonging to 1.27 million of their consumers.

Nationwide Mutual Insurance was attacked by hackers who managed to obtain a haul of personal data, including: Social security numbers; Driving licence details; Credit scores; and other personally identifiable information.

With this information, hackers and cybercriminals can be equipped with the tools required to commit identity fraud and therefore inflict huge harm and disruption to lives of the victims.

The huge risks of identity theft

With a stolen identity, victims may find themselves left with little control over their own lives. Fraudsters can open bank accounts in the victim’s name, take out credit cards and loans, or perhaps apply for state benefits. The financial and reputational damage identity theft can cause can be monumental, and can leave a victim severely distressed and financially harmed.

This is why this breach is such a huge one. Victims were clearly left at risk.

Information security questioned

Nationwide Mutual Insurance have essentially opened their customers to risks of potential fraud, and the question remains as to how hackers managed to break in to their systems in the first place. With such a wealth of sensitive information stolen, there is a clear argument that their cybersecurity measures were not good enough at all.

Now the information is out there, those 1.27 million people are at risk of identity theft as long as the stolen information remains valid.

The duty to safeguard information

All companies and organisations who hold and use personal data have a duty to keep that information safe and secure. Whilst nothing is usually seen as “impenetrable”, organisations need to ensure they do all that they reasonably can to protect their clients and customers. Here, Nationwide Mutual Insurance’s reported negligence in applying critical security software has ultimately cost them £4 million.

Attorney General Eric Schneiderman emphasised Nationwide Mutual Insurance’s reported neglect with regards to their responsibilities:

“Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.”

According to Nationwide Mutual Insurance, when the company discovered the data breach, damage control procedures were quickly rolled out and the breach was reported to the necessary authorities. Nationwide Mutual Insurance spokesman, Eric Hardgrove, said:

“[Nationwide Mutual Insurance] is pleased to have reached a settlement that we believe is consistent with our longstanding commitment to protect customer information.”

Is any compensation ever enough for the victims?

For the 1.27 million victims, Nationwide Mutual Insurance has made the common offer of a year’s free credit monitoring and identity-fraud protection through a third party vendor. The company also recommended that consumers ought to set up a fraud alert and put a security freeze on their credit reports. Unfortunately, this comes with a cost of up to around £20.00 to implement and then remove; a cost that Nationwide Mutual Insurance has apparently not offered to cover…

In addition to the £4 million payout, Nationwide Mutual Insurance’s settlement also includes a commitment to upgrade their security measures to prevent the same thing happening again. News sources report that these commitments include updating “procedures for maintenance and storage of consumers’ personal data, conduct regular inventories of computer system security patches and updates and take other steps to safeguard consumer information.”