Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/14/2007
04:30 AM
50%
50%

Insurer Adds Encryption to Prevent Data Leaks

American National Insurance Company (ANICO) encrypts the desktop, disk, and sensitive email traffic

American National Insurance Company (ANICO) had a potential data leakage problem a couple of years ago, prompting the insurer early last year to start encrypting desktops, laptops, disks, and sensitive email messages.

The $17.6 billion ANICO, which has 60,000 agents, 5 million policyholders, and three locations, previously had confidential information flowing freely among its employees, agents, and policyholders for the company. “We knew we had a data leakage problem but were not sure how significant it was,” recalls Ken Juneau, assistant vice president and director of enterprise architecture systems for ANICO, which offers life insurance, annuities, health insurance, credit insurance, pension plan services, and property and casualty insurance for personal lines, agribusiness, and commercial risks.

So the insurer first installed a content-monitoring tool, which discovered that 30 percent to 35 percent of its traffic flowing beyond its network perimeter included unprotected personal data, such as account information, medical data, or Social Security numbers. Not only was this sensitive data susceptible to eavesdropping, but it also was not properly secured on employees’ and agents’ laptops and PCs.

With the pressures of federal and state government mandates for protecting such information, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and California Senate Bill 1386, ANICO found itself in the precarious position of possibly incurring catastrophic problems and fines from potential information breaches.

ANICO had to do something to plug up the leaks. The first step was determining what additional security products it needed. The conclusion: desktop encryption so employees and agents could exchange information securely; disk encryption in case a laptop or agent’s office machine was stolen; and automated encryption of sensitive email messages.

The insurer eventually pared its vendor selection down to Voltage Security and PGP Corp. The former had strong email encryption but nothing for disk encryption, so ANICO ended up choosing PGP. “To simplify our maintenance requirements, we wanted to minimize the number of vendors that we work with,” Juneau notes.

And by January of last year, the insurer had installed PGP Desktop Email, PGP Whole Disk Encryption, and PGP Universal Gateway. A big plus was that it was an appliance-based approach versus installing software on each user's desktop. “Because we deployed a security appliance [model] that resided on our network rather than software on all users’ PCs, our ongoing maintenance requirements [are] minimal,” Juneau says.

ANICO also needed a way to communicate with its customers who don't run encryption software, so it deployed PGP's Web Messenger feature, which sends those customers a message with a link to the insurance company’s Website, which then establishes a secure connection between them and ANICO's data center.

But the encryption implementation wasn't exactly plug-and-play: ANICO's three sites each run different email systems, so the deployment was a custom job at each of the sites. And there were some incompatibilities in how ANICO’s ISPs and PGP each handled email encryption, but eventually those problems were resolved.

One issue that's still outstanding, however, is user friendliness, Juneau says. The PGP user interface is not very intuitive, so when users move to new laptops or other devices, migrating the encryption functions can be cumbersome.

Still, Juneau says ANICO is comfortable with its decision to go with the PGP encryption solution. “Because we now identify and stop sensitive information from moving beyond users’ desktops, we have lowered the likelihood of litigation, additional expenses, and damage to our brand stemming from data leakages,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • PGP Corp.
  • Voltage Security Inc.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    Slideshows
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    Commentary
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-31755
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31756
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
    CVE-2021-31757
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31758
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31458
    PUBLISHED: 2021-05-07
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...