InsurTech BackNine exposed hundreds of thousands of insurance applications that included sensitive information after its cloud server was left unprotected on the internet.
One of the company’s storage servers, hosted on Amazon’s cloud, was misconfigured to allow anyone access to the 711,000 files inside, including completed insurance applications that contain highly sensitive personal and medical information on the applicant and their family. It also contained images of individuals’ signatures as well as other internal BackNine files, Techcrunch reported.
The exposed documents included contact information like full names, addresses, phone numbers, Social Security numbers, medical diagnoses, medications taken and detailed completed questionnaires about an applicant’s health, past and present. Other files included lab and test results, such as blood work and electrocardiograms. Some applications also contained driver’s license numbers. The exposed documents date back to 2015 up until this month.
Amazon storage servers, known as buckets, are private by default. As a result, the control of the buckets must have been altered to public. None of the data was encrypted.
Security researcher Bob Diachenko found the exposed storage bucket and emailed details of the lapse to the company in early June, but after receiving an initial response, he didn’t hear back and the bucket remained open.
When asked if the company has alerted local authorities per state data breach notification laws, or if the company has any plans to notify the affected individuals whose data was exposed, BackNine did not comment.
The California-based company builds back-office software to help bigger insurance carriers sell and maintain life and disability insurance policies. It also offers a white-labelled quote web form for smaller or independent financial planners who sell insurance plans through their own websites.
BackNine works with some of America’s largest insurance carriers. Many of the insurance applications found in the exposed bucket were for AIG, TransAmerica, John Hancock, Lincoln Financial Group and Prudential.
Copyright © 2018 RegTech Analyst