Hundreds of California Residents Affected by North American Risk Services Breach

[nir]

SSNs, financial info, tax credentials among stolen data

 

North American Risk Services, Inc. suffered a data breach between February 7 and March 27, according to the data breach notification sample sent to the Office of the Attorney General of California, with six hundred and four customers being affected by the incident.

 

North American Risk Services is a privately held company based in Maitland, Florida, and a national third-party claims administration (TPA) services provider which processes certain aspects of companies' employee benefit plans and helps other entities reduce insurance claims costs.

 

According to the data breach notification, North American Risk Services (NARS) found out about the security incident after noticing suspicious emails being sent from one of their employee's accounts.

 

Following an investigation performed with the assistance of a security investigator, NARS discovered that a small number of company e-mails were accessed by unauthorized actors beginning with February 7 until March 27.

 

Subsequently, on June 27, the security investigator learned that the affected e-mails contained private information, but was unable to find contact information for more than a 25% of the individuals and entities affected by the breach.

 

"The personal information found within the impacted email accounts includes a combination of the individuals’ names and one or more of the following: Social Security number, driver’s license number, financial account information, medical information, health insurance information, taxpayer/employer identification number or username and password," says the breach notification.

 

The data breach only affected North American Risk Services, Inc. customers from California

NARS was able to uncover contact info on another 50% of the affected and, because of the extensive time needed for finding the rest of the contact addresses, it decided to start notifying the affected parties on August 31.

 

Next, NARS found contacts for the other 25% who did not receive a data breach alert using their Social Security numbers to pinpoint their addresses with the help of a third party company which offers address locator services.

 

All contact info for affected customers was discovered on September 7, and North American Risk Services sent the second wave of breach letters on October 5.

 

As NARS states in their breach notification, between the first and the second wave of customer alerts, six hundred and four California residents received a notice letter.

 

"North American Risk Services is offering individuals impacted by this event with access to one (1) year of complimentary credit monitoring and identity restoration services," also says the breach notification.

 

Source

[straycat19]

Doesn't seem like this company was in any hurry to notify the affected people since they didn't start notifying them till 3 months later.  By that time it would be normal for any identity theft or fraudulent charges to have already taken place, since information like this has a limited lifespan.  After the Equifax fiasco many people froze their credit reporting which effectively blocks identity theft since if you can't get a fraudulent credit card or loan it serves no real purpose. Now that the new law has passed making credit freezes free for everyone, there is no need for anyone to have an unfrozen account.  My accounts have always been frozen since it was a simple process to unfreeze and freeze them again if needed and the charge could not exceed $10, which is about the price of a large Mocha at the local coffee shop.  And if you only get a credit card from a company that supports one time use numbers so that your actual credit card number is never given out you will be relatively safe from anything except a holdup on the street.  If you carry a gun, you will be safe from that.