14 DAY TRIAL // Aetna, one of the largest health care benefit companies in the U.S., alerted around 65,000 current and former employees that their Social Security Numbers might have been stolen by hackers. The breach occurred on the company's job application website, which was being maintained by a partner.
A few weeks ago, the insurance firm started receiving complaints from numerous people regarding spam e-mails sent in its name. The messages were actually part of a phishing campaign and claimed to be responses to job applications. The targeted individuals were being asked to provide additional personal information.
Aetna concluded that the origin of the attack was its job application website and brought in a team of computer forensics investigators. According to Network World, Cynthia Michener, spokeswoman for Aetna, commented on the on-going investigation that "At this point despite a thorough review, they've not been able to pinpoint the precise breach."
The company is fairly certain that at least e-mails have been stolen, but has no evidence regarding the SSNs yet. Nevertheless, this is a possibility and Aetna proceeded with notifying the affected individuals. "We wanted to err on the side of caution," noted Ms. Michener. The firm has posted alerts of the on-going phishing campaign on its website and is offering the 65,000 employees a free one-year subscription with a credit monitoring service.
The breach could have been much more serious, as the website in question has 450,000 registered applicants, who provided info such as full names, addresses, phone number and e-mails. Their Social Security Numbers were not stored locally, but the rest of the data can still be valuable to spammers and phishers.
A similar breach occurred earlier this year at USAJOBS, a website used by the United States Office of Personnel Management to list employment opportunities in the federal government. The compromised data included user IDs and passwords, email addresses, names, phone numbers, as well as some demographic data.