Over 2 million customer data stolen from Japanese insurer

TOKYO (Kyodo) — An estimated two to three million customer records were leaked in a data theft at Japan's four largest property and casualty insurers, sources familiar with the matter said Tuesday.

The leaked information from the four companies – Tokio Marine & Nichido Fire Insurance Co., Sompo Japan Insurance Inc., Mitsui Sumitomo Insurance Co. and Aioi Nissay Dowa Insurance Co. – included customer names, insurance policy numbers, types of insurance, maturity dates and premium amounts.

The incident has raised concerns about lax information management practices prevalent in the industry, with suspicions that some of the leaked data may have been used for sales purposes.

The four companies that reported the data theft in May must report details to Japan's financial regulator within a week. The regulator will review the reports and consider concrete measures to prevent a repeat.

The leaks follow a series of recent scandals that exposed industry-wide compliance problems, including insurance fraud by used-car chain Bigmotor Co. and collusion over insurance premiums for corporate clients and government agencies.

The data leak affected independent agents, such as car dealerships, that sell products from several insurance companies.

It was found that insurer employees working for independent agencies intentionally passed on other insurers' contract information to their own companies, possibly to gain insight into competitors' sales trends.

Sompo Japan employees have disclosed data to nine or more agencies, such as fire insurance contracts concluded with regional banks.

Numerous cases also revealed problems with information control in the agencies. When the agency headquarters sent emails with contract information for a specific insurer to its branches, employees of other insurers were ultimately among the recipients.

Insurers are required to oversee the agencies, but they did not view the leaks as problematic and did nothing to put an end to the practice.

It was originally estimated that between 151 and 268 agencies per insurer shared information, but the number is likely to be higher.