According to a story published today in the News Journal, Aon Consulting is mailing letters to approximately 22,000 State of Delaware retirees after it inadvertently posted social security numbers, gender information and dates of birth in a Request for Proposal (RFP) the company prepared for the State. The RFP information was posted by AON to the procurement section of the Delaware website for five days before it was discovered and removed. This is not the first data breach for Aon Consulting. In May 2008, an AON laptop containing the names and Social Security numbers of 57,160 people related to a Verizon engagement was stolen from a New York City restaurant. The laptop was never recovered.
Moreover, it is not the first time a global broker has compromised client data. On May 9, 2006, a Marsh subsidiary lost a personal computer containing records of more than a half million New Yorkers. The lost data includes social security numbers and dates of birth. And, in 2008, Willis lost a data tape in India that contained data belonging to numerous clients who, in turn, had to report to their clients.
These events are a stark reminder that no one is 100% immune — even those who are in the risk management business are vulnerable to a data breach. Indeed, Marsh, AON and Willis are the three largest brokers in the world and have built over the years very sophisticated risk management practices to assist clients address their exposures. Accordingly, the message here is not to think any less of these brokers but rather to recognize the magnitude of the challenges faced by all firms when managing data risk. In other words, if a breach can hit these folks, it can hit just about anyone.