Here's a transaction Transamerica regrets: Transgressors swipe retirees' personal info

45,000 plan holders hit by crooks, say corp officials


Updated Financial house Transamerica has admitted criminals swiped some of its customers' sensitive personal information, including social security numbers.

In a formal notice sent to the California Attorney General's office this month, the US insurance and investment giant said an "unauthorized" person was able to get into its systems some time between March 2017 and January 2018, and siphon off the names, addresses, social security numbers, dates of birth, financial account information, and employment details of people holding Transamerica Retirement Solutions accounts.

It appears the affected retirees were sharing the same usernames and password combinations across multiple websites and services, including Transamerica. When one of these other sites leaked their login details, miscreants were able to reuse them to access Transamerica accounts – an act known as credential stuffing.

In short, don't reuse the same password for multiple accounts.

"Please note that most individual accounts were accessed only once or at limited points in time during this time frame," Transamerica told affected customers.

"We found no evidence of a compromise of Transamerica’s network and systems, but unauthorized parties used compromised third-party user credentials to log into Transamerica systems and access your account information."

The Register asked Transamerica exactly how many of its customers were whacked by the hack, and we have yet to hear back. The biz has not said if it has any reports of the stolen information being used for fraud.

"We began an investigation as soon as we learned of the incident, engaged a leading cybersecurity forensics firm, and contacted appropriate law enforcement," customers were told in a memo from Transamerica.

"We continue to work diligently to minimize the impact of this event and may take additional steps to enhance the security of your account based on our investigation."

To remedy the situation, Transamerica says it is flagging up, and monitoring any accounts that were accessed by the miscreants. The biz is also offering its customers one year of identity monitoring services, a fairly standard measure taken by companies in the wake of a major data breach. Customers will have until August 30 to enroll in the monitoring service.

In addition to credit monitoring, Transamerica is asking customers to change their passwords with new, complex logins. ®

Updated to add

A spokesperson has been in touch to put a figure on the extent of the security cockup:

Of the approximately 5.4 million participant accounts that Transamerica serves in the United States, we have identified approximately 45,000 individuals whose personal data was potentially exposed as a result of this incident. We remain dedicated to providing the highest quality of care and security to our customers and are working with care, diligence and expert resources to bring this to a conclusion.


Other stories you might like

  • Oracle sued by one of its own gold-level Partners of the Year over government IT contract
    We want $56 million, systems integrator tells court

    Oracle has been sued by Plexada System Integrators in Nigeria for alleged breach of contract and failure to pay millions of dollars said to be owed for assisting with a Lagos State Government IT contract.

    Plexada is seeking almost $56 million in denied revenue, damages, and legal costs for work that occurred from 2015 through 2020.

    A partner at Plexada, filed a statement with the Lagos State High Court describing the dispute. The document, provided to The Register, accuses Oracle of retaliating against Plexada and trying to ruin the firm's business for seeking to be paid.

    Continue reading
  • Governments opt for XaaS, dump datacenters in droves
    Outsource all the things! To whom? The lowest bidder of course, says Gartner

    The world's governments are eager to let someone else handle their IT headaches, according to a recent Gartner report, which found a healthy appetite for "anything-as-a-service" (XaaS) platforms to cut the costs of bureaucracy.

    These trends will push government IT spending to $565 billion in 2022, up 5 percent from last year, the analyst house claims. Gartner believes the majority of new government IT investments will be on service platforms by 2026.

    "The pandemic sped up public-sector adoption of cloud solutions and the XaaS model for accelerated legacy modernization and new service implementations," Gartner analyst Daniel Snyder said in a release. "Fifty-four percent of government CIOs responding to the 2022 Gartner CIO survey indicated that they expect to allocate additional funding to cloud platforms in 2022, while 35 percent will decrease investments in legacy infrastructure and datacenter technologies."

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading

Biting the hand that feeds IT © 1998–2022