A safety lapse at insurance coverage expertise startup BackNine uncovered a whole bunch of 1000’s of insurance coverage functions after considered one of its cloud servers was left unprotected on the web.
BackNine is likely to be an organization you’re not accustomed to, but it surely might need processed your private data in case you utilized for insurance coverage prior to now few years. The California-based firm builds back-office software program to assist greater insurance coverage carriers promote and keep life and incapacity insurance coverage insurance policies. It additionally affords a white-labeled quote net kind for smaller or impartial monetary planners who promote insurance coverage via their very own web sites.
However one of many firm’s storage servers, hosted on Amazon’s cloud, was misconfigured to permit anybody entry to the 711,000 recordsdata inside, together with accomplished insurance coverage functions that include extremely delicate private and medical data on the applicant and their household. It additionally contained photographs of people’ signatures in addition to different inside BackNine recordsdata.
Of the paperwork reviewed, TechCrunch discovered contact data, like full names, addresses and telephone numbers, but in addition Social Safety numbers, medical diagnoses, drugs taken and detailed accomplished questionnaires about an applicant’s well being, previous and current. Different recordsdata included lab and take a look at outcomes, comparable to blood work and electrocardiograms. Some functions additionally contained driver’s license numbers.
The uncovered paperwork date again to 2015, and as lately as this month.
As a result of Amazon storage servers, often known as buckets, are non-public by default, somebody with management of the buckets should have modified its permissions to public. Not one of the knowledge was encrypted.
Safety researcher Bob Diachenko discovered the uncovered storage bucket and emailed particulars of the lapse to the corporate in early June, however after receiving an preliminary response, he didn’t hear again and the bucket remained open.
We reached out to BackNine vice chairman Reid Tattersall, with whom Diachenko was in touch and ignored. TechCrunch, too, was ignored. However inside minutes of offering Tattersall — and him solely — with the title of the uncovered bucket, the information was locked down. TechCrunch has but to obtain a response from Tattersall, or his father Mark, the corporate’s chief government, who was copied on a later e-mail.
TechCrunch requested Tattersall if the corporate has alerted native authorities per state knowledge breach notification legal guidelines, or if the corporate has any plans to inform the affected people whose knowledge was uncovered. We didn’t obtain a solution. Corporations can face stiff monetary and civil penalties for failing to reveal a cybersecurity incident.
BackNine works with a few of America’s largest insurance coverage carriers. Most of the insurance coverage functions discovered within the uncovered bucket had been for AIG, TransAmerica, John Hancock, Lincoln Monetary Group and Prudential. When reached previous to publication, spokespeople for the insurance coverage giants didn’t remark.