Updated Financial house Transamerica has admitted criminals swiped some of its customers' sensitive personal information, including social security numbers.
In a formal notice sent to the California Attorney General's office this month, the US insurance and investment giant said an "unauthorized" person was able to get into its systems some time between March 2017 and January 2018, and siphon off the names, addresses, social security numbers, dates of birth, financial account information, and employment details of people holding Transamerica Retirement Solutions accounts.
It appears the affected retirees were sharing the same usernames and password combinations across multiple websites and services, including Transamerica. When one of these other sites leaked their login details, miscreants were able to reuse them to access Transamerica accounts – an act known as credential stuffing.
In short, don't reuse the same password for multiple accounts.
"Please note that most individual accounts were accessed only once or at limited points in time during this time frame," Transamerica told affected customers.
"We found no evidence of a compromise of Transamerica’s network and systems, but unauthorized parties used compromised third-party user credentials to log into Transamerica systems and access your account information."
The Register asked Transamerica exactly how many of its customers were whacked by the hack, and we have yet to hear back. The biz has not said if it has any reports of the stolen information being used for fraud.
"We began an investigation as soon as we learned of the incident, engaged a leading cybersecurity forensics firm, and contacted appropriate law enforcement," customers were told in a memo from Transamerica.
"We continue to work diligently to minimize the impact of this event and may take additional steps to enhance the security of your account based on our investigation."
To remedy the situation, Transamerica says it is flagging up, and monitoring any accounts that were accessed by the miscreants. The biz is also offering its customers one year of identity monitoring services, a fairly standard measure taken by companies in the wake of a major data breach. Customers will have until August 30 to enroll in the monitoring service.
In addition to credit monitoring, Transamerica is asking customers to change their passwords with new, complex logins. ®
Updated to add
A spokesperson has been in touch to put a figure on the extent of the security cockup:
Of the approximately 5.4 million participant accounts that Transamerica serves in the United States, we have identified approximately 45,000 individuals whose personal data was potentially exposed as a result of this incident. We remain dedicated to providing the highest quality of care and security to our customers and are working with care, diligence and expert resources to bring this to a conclusion.