Spammers recently used email addresses obtained from health insurer Aetna’s job application website to conduct a phishing scam.

How many victims?
Up to 450,000.

What type of personal information? Email addresses, and possibly Social Security numbers, phone numbers, addresses and employment histories.

What happened? Aetna’s Job application website, which was maintained by a third party, contained the email addresses for about 450,000 people who had applied for jobs or submitted resumes to the company. Some of the email addresses were copied from the site and used in a phishing scam.

In early May, Aetna began receiving complaints from individuals who received fraudulent emails seeming to be coming from Aetna. In the phony emails, victims were presented job offers or asked for personal information such as addresses and telephone numbers.

Details: Along with email addresses, the site stored the Social Security numbers of current and former employees and people who received job offers from the company. In addition, the phone numbers, addresses and employment histories of people who received job offers were also stored on the site. Aetna said it is not sure if any personal information beyond email addresses was accessed.

Quote: “We know for certain that the emails were accessed, we don’t know whether or not anything else was accessed,” Aetna spokeswoman Cynthia Michener told The Associated Press. “But we’re erring on the side of caution, we want people to know.”

What was the response? Aetna shut down the job application website, and hired an outside company to perform a forensic review of the site. They have not yet been able to determine how the breach occurred.

Aetna will offer free credit monitoring for a year to about 65,000 affected individuals. A warning about the fraudulent emails was posted Atena’s main site.

Source: The Associated Press, “Aetna offers credit monitoring after site breached,” May 28, 2009.