Notice of Data Security Incident

Reid Tattersall

8/19/2021 · 7.145 min read

BackNine Provides Notification of Data Security Incident
Westlake Village, CA: August 17, 2021 – BackNine Insurance and Financial Services, Inc. (“BackNine”) recently learned of a data security issue potentially impacting personal information (“PI”) and protected health information (“PHI”) belonging to certain individuals who worked with BackNine to apply for one or more insurance policies or annuities, as well as individuals who were listed as beneficiaries or policy holders on an insurance policy or annuity application. BackNine has notified potentially impacted individuals and provided resources to assist them.

What Happened. BackNine is an insurance broker and financial services firm located in Westlake Village, California. BackNine sells life, long term care, and disability insurance as well as annuities.
On July 12, 2021, BackNine learned of a coding error that caused certain insurance and annuity applications to be uploaded to a publicly accessible cloud storage container. Upon discovery, BackNine immediately secured the folder so that it was no longer publicly accessible and took steps to ensure that the conatiner at issue was the only one affected. BackNine also altered the misconfigured code to ensure that future applications would be uploaded to and stored in non-publicly accessible folders.
In addition, BackNine—with the assistance of outside data privacy and cybersecurity experts—conducted an investigation and worked to identify the individuals whose information was stored in the impacted cloud storage container and the categories of information potentially involved for each such individual. On July 26, 2021, BackNine completed the review process and then worked diligently to identify current address information required to provide notification of this incident.

We have no reason to believe that the information involved was has been or will be misused. Nevertheless, we notified potentially impacted individuals of the incident out of an abundance of caution so that they may take appropriate steps to help protect their PI and PHI.

What Information Was Involved. The information contained in the impacted cloud storage container varied depending on the individual but may have included the following: name, address, phone number, date of birth, Social Security number, driver’s license or state identification card number, health-related information, and/or financial status (e.g., assets, liabilities, and income).

What We Are Doing. As soon as BackNine learned of the issue, BackNine took the measures referenced above. BackNine is also implementing additional security measures to protect information on its systems and to minimize the likelihood of a similar situation occurring in the future. Furthermore, BackNine reported the incident to the Federal Bureau of Investigation and is committed to assisting with any investigation into this matter. Finally, BackNine provided potentially impacted individuals with information about how to help protect their information and offered free identity protection services thereto.

What You Can Do. The notification letters that were sent to potentially affected individuals include information about resources and steps that they can take to help protect their PI and PHI. BackNine has established a toll-free call center to address any questions and concerns regarding the incident. Call center representatives are available at (833) 909-3934 between Monday and Friday from 6 a.m. to 6 p.m. Pacific Time.
BackNine is committed to protecting the security and privacy of its customers. We regret any worry or inconvenience that this may cause.

While BackNine has no evidence of the misuse of any information involved in the incident, it is providing the following information about steps that individuals can take to protect themselves:

What steps can I take to protect my personal information?

  • Please notify your financial institution immediately if you detect any suspicious activity on any of your accounts, including unauthorized transactions or new accounts opened in your name that you do not recognize. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.
  • You can request a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To do so, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is listed at the bottom of this page.
  • You can take steps recommended by the Federal Trade Commission to protect yourself from identify theft. The FTC’s website offers helpful information at www.ftc.gov/idtheft.
  • Additional information on what you can do to better protect yourself is included in your notification letter.

**How do I obtain a copy of my credit report? **
You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com/, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You also can contact one of the following three national credit reporting agencies:

TransUnion
P.O. Box 1000
Chester, PA 19016
1-800-916-8800
www.transunion.com

Experian
P.O. Box 2002
Allen, TX 75013
1-888-397-3742
www.experian.com

Equifax
P.O. Box 740241
Atlanta, GA 30374
1-888-548-7878
www.equifax.com

How do I put a fraud alert on my account?
You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for one year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at http://www.annualcreditreport.com.

How do I put a security freeze on my credit reports?
You have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, or regular stamped mail, or online by following the instructions found at the websites listed below. You will need to provide the following information when requesting a security freeze (note that if you are making a request for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; and (4) address. You may also be asked to provide other personal information such as your email address, a copy of a government-issued identification card, and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. There is no charge to place, lift, or remove a freeze. You may obtain a security freeze by contacting any one or more of the following national consumer reporting agencies:

Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348
1-800-685-1111
www.equifax.com Experian Security Freeze
PO Box 9554
Allen, TX 75013
1-888-397-3742
www.experian.com TransUnion (FVAD)
PO Box 2000
Chester, PA 19022
1-800-909-8872
www.transunion.com

What should I do if my family member’s information was involved in the incident and is deceased?
You may choose to notify the three major credit bureaus, Equifax, Experian and TransUnion, and request they flag the deceased credit file. This will prevent the credit file information from being used to open credit. To make this request, mail a copy of your family member’s death certificate to each company at the addresses below.

Equifax
Equifax Information Services
P.O. Box 105169,
Atlanta, GA 30348 Experian
Experian Information Services
P.O. Box 9701
Allen, TX 75013 TransUnion
Trans Union Information Services
P.O. Box 2000
Chester, PA 19022

What should I do if my minor child’s information involved in the incident?
You can request that each of the three national credit reporting agencies perform a manual search for a minor’s Social Security number to determine if there is an associated credit report. Copies of identifying information for the minor and parent/guardian may be required, including birth or adoption certificate, Social Security card and government issued identification card. If a credit report exists, you should request a copy of the report and immediately report any fraudulent accounts to the credit reporting agency. You can also report any misuse of a minor’s information to the FTC at https://www.identitytheft.gov/. For more information about Child Identity Theft and instructions for requesting a manual Social Security number search, visit the FTC website: https://www.consumer.ftc.gov/articles/0040-child-identity-theft. Contact information for the three national credit reporting agencies may be found above.