Data leak exposes pensioners’ personal information

Last week some 22,000 retired Delaware governmental employees opened innocuous looking letters informing them, in boldface type, that their Social Security numbers were posted on the Internet for four days, viewable to anyone in the world including those who would use the information to commit fraud.

The personal data, which also identified retirees’ genders but did not contain their names, was inadvertently uploaded to a state agency website as part of a request for proposals packet prepared by Aon Consulting, a firm retained to assist the state with selecting a vision insurance plan for retirees.

Although the bid packet was supposed to contain random client identifiers, not Social Security numbers, no one at Aon or the Statewide Benefits Office reviewed the document before posting it to the www.bids.delaware.gov website on Aug. 16, according to Office of Management and Budget spokeswoman Catherine Kempista.

On Aug. 20, a benefits office staff member opened the online document to answer a question from a potential bidder and discovered the personal information, Kempista said.

At that point, the staffer immediately pulled the bid packet from the website, she said.

Bert Scoglietti, OMB policy director, said Aon is at fault for including personal information in the document.

“Aon takes primary responsibility in this,” he said. “This document went in various formats between Aon and this office in its development. Previous versions did not contain Social Security numbers; the final document was sent by Aon.”

Scoglietti said the benefits office didn’t have to review the finalized document before posting it online.

“Documents, when they’re in final format and ready for publishing, usually at that point you consider them to be final,” he said. “There was no reason for us to think [personal information] would be in there.”

Aon spokesman Joe Micucci would not say if the misstep was attributable to human error or a computer problem.

“This specific incident is under review to ensure it doesn’t happen again,” he said. “We employ the latest technology in encryption and we have stringent internal checks.”

In a letter sent to members of the Delaware General Assembly Sept. 2, OMB Director Ann Visalli said the state is working with a cyber security and identity protection firm to assist in protecting those retirees whose information was exposed.

Spokesmen for OMB and Aon would not say how the data breach will impact the contractual relationship between the state and the consultant. Since 2007, when Aon was put on retainer, the state has paid the company more than $1.1 million for its services, according to OMB.

On Aug. 20, a benefits office staff member opened the online document to answer a question from a potential bidder and discovered the personal information, Kempista said.

At that point, the staffer immediately pulled the bid packet from the website, she said.

Bert Scoglietti, OMB policy director, said Aon is at fault for including personal information in the document.

Scoglietti said the benefits office didn’t have to review the finalized document before posting it online.

Aon spokesman Joe Micucci would not say if the misstep was attributable to human error or a computer problem.

“This specific incident is under review to ensure it doesn’t happen again,” he said. “We employ the latest technology in encryption and we have stringent internal checks.”

Scoglietti did say OMB is talking to the state attorney general’s office regarding possible legal action.

Retirees livid

In the letter sent to affected retirees, Aon offered them one year of free credit monitoring through Experian, one of the major consumer credit rating houses.

But many pensioners say the offer is an empty gesture, since there’s nothing to stop a potential fraudster from waiting a year before using their information to get a credit card or make a major purchase in their name.

Former state employees at various levels were subject to the leak, as were retired teachers and state troopers.

“They’re outraged, they’re scared, which is all understandable. This obviously shouldn’t have happened and it is extremely unfortunate and in no way acceptable,” said Pam Nichols, spokeswoman for the Delaware State Education Association, the state teachers union.

Sandy Richards is retired from the Delaware Psychiatric Center and president of the retiree chapter of the local American Federation of State, County and Municipal Employees union.

When he received his letter, he was more than shocked.

“I was ready to choke somebody. That’s one of the things the government is always telling you, be careful with your Social Security number,” he said.

Aon has given retirees 90 days to sign up for the free Experian monitoring, but Richards said the company is in no position to place limitations, timelines or expiration dates on those whose security they jeopardized.

“When something does happen, if they happen to use this information, it takes an awful long time to get straightened out,” he said. “We won’t know until you get a bill or something, and [Aon is] telling us to do things that they’re responsible for.”

Micucci said Aon wants retirees to sign up for the free monitoring as soon as possible and the company has nothing further to offer those affected at this time.

However, there are things those whose information got out can do to protect themselves.

Linda Foley, founder of the Identity Theft Resource Center based in San Diego, Calif., said the retirees need to make sure they take advantage of the free yearly credit reports they can obtain by law from the three major credit bureaus.

“You do get to check your credit report annually, and instead of ordering all three at one time, check them one at a time over the course of a year,” she said. “This gives you the chance to keep on top of it.

The thieves don’t use the information right away, they know everyone is going to put a fraud alert on.”

Email Doug Denison at doug.denison@doverpost.com.