June 02, 2009, 5:31 PM — Batteries.com, an online seller of batteries for consumer electronics, and Aviva USA, one of the largest insurance companies in the world, have both reported data breaches in recent days.
Both companies reported the data breaches to the New Hampshire Department of Justice in May, with Batteries.com reporting that 865 residents of New Hampshire may be affected. New Hampshire's population is about 0.4 percent of the entire U.S. population, meaning the number of affected U.S. residents could be much greater.
Batteries.com did not return a phone call and e-mail message seeking information about the data breach, which was caused by a hacked server, the company told the New Hampshire Department of Justice. The hackers compromised the server on Feb. 25 and continued their attacks for "a period of several weeks," the company said in a filing published on the agency's Web site.
The hackers stole names, addresses and credit card information from the Batteries.com server, the company said.
"A handful of Batteries.com customers also have reported unauthorized use of their credit card accounts that is believed to be tied to this hacking," Batteries.com said in its filing with the state.
Batteries.com discovered the breach in March, the company told the New Hampshire agency. New Hampshire law requires companies with data breaches to notify the Department of Justice if state residents are affected, and Batteries.com notified the agency May 18. Customer notifications of the data breach went out in mid-May, the company said.
Batteries.com is offering to provide affected customers with two years of free credit monitoring, and it has established a call center for people who have questions, the filing said.
Last Thursday, Aviva, a U.K. company formerly known as Norwich Union, reported a data breach affecting about 550 people nationwide. The data breach affected customers who opened accounts in the U.S. or beneficiaries of accounts opened in the U.S., said Randy Wadle, Aviva's CIO.
Aviva, a financial services and insurance vendor, has more than 925,000 U.S. customers, according to the company Web site.
The breach, caused by malware on an Aviva computer, happened between Dec. 30 and Feb. 24, Aviva said. A vendor helping Aviva locate policyholders and beneficiaries whose mail was undeliverable found three Aviva USA customers' Social Security numbers and other personal information while searching for them, Wadle said.
Aviva then conducted a forensic investigation and found the malware, he said. He declined to give the date of when the breach was discovered or to disclose details on how the malware came to the compromised computer.
Aviva has removed the compromised hardware and "taken steps to secure our environment against similar future malware attacks," the company said in its New Hampshire filing.
Data breach is "an industrywide issue, but one that we take very seriously," Wadle said. "Protecting our customers' data is critical to us."
Aviva sent a notice to one New Hampshire resident potentially affected by the breach. Affected Aviva customers will be offered a free identity-theft protection service for one year and identity theft insurance coverage of US$25,000, the company said.