Insurance Tech Startup Exposes Thousands of Insurance Applications

Our latest example of data security vulnerabilities in the cloud comes out of California, where, on July 17, a company’s Amazon S3 storage servers allowed public access to more than 700,000 files containing customer data related to insurance applications.

Screen Shot 2021-07-29 at 1.02.18 PM

This leak, exposed by TechCrunch, contained extremely sensitive and shockingly comprehensive personal data, including: full names, addresses, phone numbers, Social Security numbers, driver’s license numbers and medical records. Some records even included images of applicant signatures!

The company, BackNine Insurance, said “A bug with BackNine’s code caused some insurance applications to be uploaded to the incorrect S3 bucket.”

The vulnerability dates back to 2015, and BackNine also divulged that “Logging was not enabled on the S3 bucket so it’s unknown who viewed or copied files.”

Amazon’s S3 buckets are private by design, so someone with access to these servers “must have changed their permissions to public,” says TechCrunch.

This is a prime example of a compromised cloud data store, mistakenly misconfigured and left unprotected with virtually no means to track the perpetrator(s) after the breach was discovered. Clearly, this creates a major crisis for the company as well as the thousands of affected users. 

As the old saying goes, “The easiest fire to extinguish is one that never starts”. With Dasera, BackNine Insurance might have been able to prevent this data breach by:

  • Discovering which S3 buckets contain sensitive data 
  • Determining which S3 buckets were misconfigured (e.g. open to public, not encrypted)
  • Determining who had/didn’t have access to S3 buckets with sensitive data

Protect data at every turn of the data lifecycle, from creation to deletion, with Dasera.


Tu Phan