1.1M Farmers Insurance customers snared in breach

1.1M Farmers Insurance customers snared in breach

Briefly

"US insurance giant Farmers Insurance says more than a million customers had personal data nicked after a third-party vendor was compromised. The insurer, which sells car, home, life, and business cover to more than 10 million Americans, briefly published an advisory on its website confirming the breach before quietly pulling it offline [PDF]. Farmers isn't saying why, but companies sometimes retract notices to tweak wording or to coordinate with regulators."

"While Farmers' advisory has mysteriously vanished, notifications filed with Maine's attorney general confirm the incident affected just over 1.1 million people, with exposed data ranging from names and addresses to dates of birth, driver's license numbers, and in some cases fragments of Social Security numbers. The state filings - which remain online - spell out that around 40,000 people linked to Farmers New World Life Insurance Co. were affected, with the remaining 1.07 million tied to Farmers Insurance Exchange, Farmers Group, and affiliates."

"Farmers isn't saying which third-party vendor got popped, though reports speculate that it is Salesforce. The CRM giant counts Farmers as a customer, but has so far kept quiet on whether the company's Salesforce instance was the focus of the attack. The Salesforce campaign has become one of the year's most damaging supply chain incidents, with intruders apparently abusing stolen OAuth tokens, social-engineering calls, and misconfigured integrations to rifle through corporate customer data."