A Cotse Exclusive Investigative Report:
"What do 'other' insurance companies already know about you?"
8/27/01, Published 8/30/01
by John Holstein, Cotse Helpdesk / Support
First, let me explain; Since this article's inception, the "powers that be" have since altered their website content to reflect a more privacy oriented means of acquiring and delivering information. You see, we did the most prudent thing we could do (thanks to a lot of influence by my colleagues); We notified "Geico", the insurance company in question, about our article. GEICO responded back with a very positive email, stating that the subject matter, as relayed below, was being removed from their website as they were speaking to me. This in itself is another small victory for all privacy advocates of the world and respectable step in the right direction by GEICO.The Article
Quoting GEICO representatives:
Dear Mr. Holstein,
"....Thank you for your email regarding the security precautions for the application pre-fill function on the GEICO website. When we instituted this function earlier this year, we carefully considered the need to prevent unauthorized access to individuals' personal information....
....We understand, however, that in the highly-charged privacy environment, which exists in our nation today, the idea that certain personal information can be retrieved by inputting other information can be a scary prospect....
....We implemented this process as a test to assist people in completing the quote request process more quickly. However, it did not meet our expectations. After weighing the costs and benefits, we decided to discontinue this test. We are in the process of removing it from our site....
We thank you for your well-intentioned scrutiny and appreciate your giving us the opportunity to respond in a timely fashion...."
I would personally like to thank the members of the GEICO Internet Systems Department & the Executives involved for their thoughtful efforts in taking down the web pages that had the potential to be, a major privacy leak.
On August 27, 2001, I finally decided to check out a few of the "online insurance" agencies. I wanted to get a quote for insurance on one of my vehicles, figuring the prices would be cheaper online and much easier to deal with than the drive to the insurance agency and fighting with yet another 'blue-suit'.
I logged into several different Insurance Company Sites, such as State Farm, Nationwide and Geico. After reviewing Geico's "gecko" commercial many times on T.V., I decided to check out their "Geico Direct" services from their site, just to see how cheap I could get insurance.
I followed the link from their (main page) to the free quote page where I was presented with two choices. The first being, "Complete a free online rate quote" or the other, to login. Since I wasn't a customer or haven't been there before, I chose the first. After entering, I was given two more choices, the most enlightening was the "Let's look you up" choice. The page, no longer available in it's original form due to Geico's thoughtful removal, involved three simple steps;
1) Enter your home phone number;
2) Enter your Birthdate;
3) Enter the last four digits of your Social Security Number
After doing so, I was a little surprised at what it gave me. First, my home address was presented. The phone number I used is unlisted/unpublished. I know, I know, any good ANAC system can still give you the info on it, but this is an insurance company database. Anyway, the reason I was surprised, the phone isn't in my name. How the heck did they cross reference that phone number, one that hasn't been in existence all that long (less than a year) to me?
Well, if that wasn't enough, I selected "yes, this is my address" and clicked "continue". Well again, I was surprised, but not as much as before. I could already foresee the outcome of this. They had me in their database. How, I don't know. But I was there, way before doing this "rate quote". Anyway, they cross referenced the before mentioned information to my name, which showed on the page. There I was, "John Holstein", on the database. I hit continue again and was taken to a page that presented my vehicle information, including the vehicle identification number.
There on the pages, my personal information was brought to me by an insurance company, one which I have never dealt with in the past. I was horrified that getting this information was so easy! Not for myself mind you, but for everyone else out there. My life is rather mundane and I exist in a tiny bubble where I don't use credit cards, I don't have multiple loans or what-not, and frankly, my credit is terrible anyway, so my financial matters won't help a credit thief very much.
The page in question did contain a small disclaimer, stating that the user authorized the request. This may be true, however, what would stop a cracker from authorizing the same request? Without a legally binding authorization request, what right(s), if any, do companies have to deliver personal/private/confidential (perhaps not) information to the web? What of the "privacy act statement"? True, the entire Social Security Number wasn't used, I will let the corporate attorneys worry over that issue.
I discussed the situation with several colleagues. A few of which, decided to try it out for themselves. After a few minutes, one of my associates replied:
".... partially going through their procedure, I would say that as a parent, I am appalled and terrified that children's names and dates of birth could be obtained by someone accessing their database this way."
That's right folks. Her children's names come up in the presentation, her kids that do not have drivers licenses. Folks, this information is out there for the taking.
Some would say that in order to obtain said information, you first need some basic information of a person you wish to target. How many times have I heard this argument? How hard do you think it is to obtain that little bit of info? Not very. I know people that could call up just about anyone and get most of the info on those pages without the need to delve into the database.
Sure, there are people out there that are oblivious to this type of targeting. Some people are "black holes" when it comes to information gathering. What about you? What about your kids or your parents? What of the average "Joe and Joann American"? Do you think the average person is susceptible to crime? Are they targets to crackers? You better hedge your bet on the fact that crackers don't target the "black-hole" people. Crackers target the people that are on the databases. (me?, probably.)
So what are we to do? Well first and foremost, I think we should all find out exactly how they came up with this information and what rights, if any, they have to publicize it. Secondly, as if I should be telling you this, we should back our brothers and sisters in their fight to protect our privacy, such as the Electronic Frontier Foundation and other privacy advocates listed on this site: http://www.privacyexchange.org/gpd/sites/advocacysites.html And third, we should notify (which I did, and it worked) the company involved and allow them the opportunity to see the error in their ways. GEICO did the proper thing, they discontinued use of the pages in question, strengthening my opinion that not all companies are out to divulge your personal information.
Frankly, I am appalled at the industry for allowing this information to be placed on webservers that have the potential to be cracked. Yes, a little "social engineering" needs to take place to obtain a bit of info, but the info is there. What happens if the site is compromised? Don't even try to tell me that it's "Secure" and "the information is safe".
Although GEICO did the right thing by taking these pages down, the element still exists that will allow companies to database your personal information, information some people think only the government has access to.
MY personal information is safe when I am the one taking care of it. Who are THEY (the industry) to think they are responsible enough to guard my information, especially since I didn't give it to them, nor did I authorize it.
I signed up for their insurance services as a test. Considering I have a clean driving record for 11 years, no points against my license, I drive an every-day-suburbia vehicle, there should be no reason why I don't get their coverage. Unless perhaps, I have made someone angry with my article :-)
Note: I didn't make anyone angry. In fact, I look at the article and the predicated notification email as an "eye opener" to the GEICO authorities. The notification allowed them the opportunity to respond in kind and remove the offending pages.
Authors Notes: I would like to point out that I also went through the procedures listed at: State Farm's website, which required a login to verify the information and Nationwide which did not present any personal information or request anything more than your name/address (no phone or social).
At State Farms site, you are required to login, this secures the procedure a little further than Geico's was. As for Nationwide, their service, although the quote is not as accurate, is pretty much private. You can fake the information, just to see "about what it would cost" without worry of giving out any personal information.
Recently received, one of our readers suggests that the Insurance Companies themselves do not keep active databases on potential clients. To quote our reader:
"....GEICO doesn't have a database on you. Neither does any other insurance company except those which you've done business with. The information GEICO found is obtainable by any company willing to pay for it. Companies such as Acxiom () collect and sell "private" information...."
While we know this to be true, statements such as these beg several other questions:
1) If other companies are involved, how is the data transmitted? The data is either purchased in bulk by GEICO or transmitted over high speed connections. If transmitted, are they using secure connections? VPN's?
2) What right(s), if any, do these other companies have to collect personal data, including your Social Security Number?
3) If they have your SSN# on file, who gave it to them? Do they have a copy of a Privacy Act Statement that you have signed?
4) Did some other company sell your information? Do they have the right to do so, with or without your permission?
These are but a few of the questions I plan to investigate in the coming weeks. Again, if you have any insight to these questions, feel free to send links and your comments to me.
Did you know that if you are in a automobile accident whether it was your fault or not, the name and address of the person is put in various newsletters and magazine for the insurance industry. After my auto accident March 17, 1998, I received phone calls and emails to my junk email address wanting to know if I wanted to buy this service or that service since I had just been in an auto accident. I asked one person where they got my name and they said from the insurance news letter. Insurance Companies have your medical history, work history and credit reports now. I've learned the hard way even though the accident wasn't my fault. Privacy has gone down the drain.
Quoting the recently released "SecuritySearch.Net News Report - September 11, 2001":
Insurance industry risks security breaches
HARTFORD, Conn. - (SECURITYSEARCH.NET) - A study by Conning & Company (www.conning.com) suggests that the insurance industry - along with its customers and business partners - may be exposed to massive losses caused by breaches in security.
The Conning study, "Cyber-Security for Insurers: The Virtual Fortress?" states that insurers may be attractive targets for attacks because, among other things, they manage substantial liquid financial assets and are heavily reliant on "legacy" computer systems. In addition their relatively recent adoption of Internet-based processes, and growing interconnectivity with a large number of business partners, may also make them vulnerable.
"It is critical that insurers address their cyber-security vulnerabilities because of the substantial costs associated with breaches and the serious reputational damage that could result," warned Clint Harris, Vice President at Conning and author of the study.
"The trends are ominous for all industries," he continued. "Losses associated with cyber-security breaches, as we defined in the study, are projected to increase to $46.3 billion by 2005, more than twice the amount as in 2000."
Conning observed that some insurers may be in denial about their cyber-security risks.
"Their argument is `We haven't had a major incident so there's no reason to panic. We spent millions on Y2K, perhaps unnecessarily, and we have no intention of repeating that.'
Folks, this is exactly what I am getting at. If the security companies, which maintain these databases are not secure, then what's the chances that YOUR data they maintain IS? They purchase this information, either in bulk or over-the-wire. If their antiquated computer systems are insufficient in their security methodology, what's the chances that a compromise of data has happened or is about to occur?
Please feel free to email me with your thoughts and opinions on this article. If selected, I will post them here, to allow all of our friends the opportunity to read what you have to say.