The Heartbleed Bug, California Casualty and You
There is some good news among the bad news associated with the Heartbleed bug affecting internet users — California Casualty customers were not affected.
At California Casualty, we protect American heroes. We have also protected you from being victimized by the notorious Heartbleed bug. While many secure webpages were breached by this flaw, California Casualty does not use the version of Open SSL source code that proved vulnerable to cyber-criminals. Your secure information is still secure and California Casualty IT professionals remain ever-vigilant against cyber-attacks and other electronic intrusions.
For your continued internet safety, it is recommended that you occasionally change passwords using a mixture of upper and lower case letters along with numbers and symbols.
All California Casualty customers have an added level of cyber-protection: every policy we sell comes with FREE Identity Theft 911 protection. If you suspect your identity has been compromised, simply call California Casualty at 1.800.800.9410 and ask for a fraud specialist.
Identity Theft 911 also has an extensive article about the Heartbleed bug and security measures you can take to prevent being a victim.
To help you understand this important issue, here are some FAQ's about Heartbleed and protecting your identity:
What is the "Heartbleed" bug and is my information at risk?
"Heartbleed" is a flaw in software that is widely used to enable secure access to websites (OpenSSL versions 1.0.1 through 1.0.1f). California Casualty reviewed all our public servers and we have no indication that our systems are at risk by this vulnerability. We recommend members periodically change their passwords and use a unique password for each site.
Does this affect sites connected with California Casualty?
No login credentials are transferred to those websites. Customer logins are kept within California Casualty's website.
Does California Casualty use OpenSSL?
California Casualty uses OpenSSL on some of its public facing servers, but not all. However, those that do have OpenSSL installed have either a patched version or a version not affected by this vulnerability.
How long did this flaw exist and what are the possible impacts?
It's not clear how long and when the breach took place. There is evidence some individuals took advantage of the "Heartbleed" bug before the public was alerted. Because the patch was installed before the flaw became public, recent attempts to exploit the bug would not affect calcas.com.
We keep hearing this affected security certificates; what are they?
A certificate is used by a website to prove its authenticity and to encrypt communications securely between a customer and the website.
Did California Casualty have any exposed security certificates?
We have no indication that our security certificates have been compromised. To be clear, this is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS or certificates issued by Symantec, our 3rd party certificate authority. Additionally, Symantec immediately followed best practices by patching our systems and re-keying all certificates on our web servers. At no time were Symantec's SSL or Code-Signing roots and intermediates at risk, nor was there ever an issue with Symantec certificates.
How do you know member data was not exposed before the patch was implemented?
Because the public facing servers did not have OpenSSL 1.0.1 through 1.0.1f (the vulnerable versions) installed on them.
Do you use Perfect Forward Secrecy?
We are in talks with our Certificate Authority on the possibility of implementation.
Is there anything California Casualty customers need to do?
It's always a good idea to occasionally change passwords, using a mix of upper and lower case letters with symbols and numbers. It's is also best to use unique passwords for each site. Remember, as far as we can ascertain, it does not appear calcas.com was compromised.
Is there a continued threat for calcas.com?
California Casualty has taken steps to ensure we are protected, and we will continue to monitor for potential threats.
If I have concerns that my personal information has been compromised, how can Identity Theft 911 help?
Identity Theft 911, free with every California Casualty insurance policy, is the nation's premier provider of identity and data risk management. Their identity fraud specialists can help you resolve ID theft cases, replace documents that have been lost or destroyed and can even help if your social media has been compromised. Their experts are aware of, and are tracking, the impact of the Heartbleed bug and other cyber crimes.