Aon recently disclosed that 145,889 of its North American customers had their sensitive information exposed in a large data breach.
The British multinational financial services firm that sells a range of risk-mitigation products announced that hackers breached its systems “at various times” from December 29 2020 to February 26 2022.
Aon disclosed the breach in a Securities & Exchange Commission filing in February. Further details were disclosed three months later, on May 26.
In a letter dated May 27, Aon told affected individuals that affected personally identifiable information includes driver’s license numbers, Social Security numbers and “in a small number of cases, benefits enrolment information.”
“Aon has taken steps to confirm that the unauthorized third party no longer has access to the data and Aon has no indication the unauthorized third party further copied, retained or shared any of the data,” the letter added. “We have no reason to suspect your information has or will be misused.”
Affected customers were offered 24-month membership with an identity-protection firm.
Aon faces at least two lawsuits from plaintiffs as a result of the data breach. Two complaints seeking class-action status were filed in Chicago in recent days.
“In addition to the defendant’s failure to prevent the data breach, after discovering the breach, the defendant waited several months to report it to affected individuals,” according to the complaint. “As a result of this delayed response, plaintiffs and class members had no idea their (personally identifiable information) had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social and financial harm. The risk will remain for their respective lifetimes.”
In an emailed statement, an Aon spokesperson claimed that Aon hired an outside firm to conduct an investigation and swiftly informed the FBI after learning of the breach.
“Our investigation is complete and we have concluded the process of notifying those clients and individuals whose personal information was temporarily obtained,” spokeswoman Nadine Youssef said. “The third-party investigation found no evidence that the information has been or will be misused. Since the event occurred, we’ve implemented a series of controls designed to further strengthen existing safeguards and provided complimentary credit monitoring services for those individuals who have received notice.”
She stressed that the company wasn’t a ransomware victim and hadn’t lost control of its systems or paid to have them restored.