A couple of key points here:
- I checked the Aviva site today and there is no note on the homepage that this even happened. Aviva did notify all impacted individuals. But how are they sure they have notified all impacted parties? If they had such great logging in the first place to know specifically who was impacted, why didn't they catch it more quickly? While they are probably following the breach notification regulations to the letter of the law, the lack of transparency to the general public does not exactly engender trust. If your organization has to notify of a breach in the future, you should conspicuously notify those who are impacted. It's just as important to explain to the non-impacted parties how you know their information wasn't compromised. In the age of unchecked data breaches, "trust us" doesn't really cut it anymore.
- Another point to consider is that this clearly demonstrates that the insider threat is real. Many of the clients I deal with at Rendition Infosec dismiss the insider threat completely. After all, that's something that happens to other organizations. Our organization would never have an insider stealing data. In Aviva's case, the theft was discovered because many customers complained about nuisance phone calls. But other data thefts might not have the customer to detect the fraud. But theft of trade secrets and other intellectual property is particularly difficult to detect. Organizations that have not taken a serious look at their strategies for detecting insider threats should do so before they are hit with a breach.