Published On: Sat, Jul 17th, 2021

An insurtech startup unprotected thousands of supportive word applications

A confidence relapse during word record startup BackNine defenceless hundreds of thousands of word applications after one of a cloud servers was left defenceless on a internet.

BackNine competence be a association you’re not informed with, though it competence have processed your personal information if we practical for word in a past few years. The California-based association builds back-office program to assistance bigger word carriers sell and say life and incapacity word policies. It also offers a white-labeled quote web form for smaller or eccentric financial planners who sell word skeleton by their possess websites.

But one of a company’s storage servers, hosted on Amazon’s cloud, was misconfigured to concede anyone entrance to a 711,000 files inside, including finished word applications that enclose rarely supportive personal and medical information on a applicant and their family. It also contained images of individuals’ signatures as good as other inner BackNine files.

Of a papers reviewed, TechCrunch found hit information, like full names, addresses and phone numbers, though also Social Security numbers, medical diagnoses, drugs taken and minute finished questionnaires about an applicant’s health, past and present. Other files enclosed lab and exam results, such as blood work and electrocardiograms. Some applications also contained driver’s permit numbers.

The defenceless papers date behind to 2015, and as recently as this month.

Because Amazon storage servers, famous as buckets, are private by default, someone with control of a buckets contingency have altered a permissions to public. None of a information was encrypted.

Security researcher Bob Diachenko found a defenceless storage bucket and emailed sum of a relapse to a association in early June, though after receiving an initial response, he didn’t hear behind and a bucket remained open.

We reached out to BackNine clamp boss Reid Tattersall, with whom Diachenko was in hit and ignored. TechCrunch, too, was ignored. But within mins of providing Tattersall — and him usually — with a name of a defenceless bucket, a information was sealed down. TechCrunch has nonetheless to accept a response from Tattersall, or his father Mark, a company’s arch executive, who was copied on a after email.

TechCrunch asked Tattersall if a association has alerted internal authorities per state information crack presentation laws, or if a association has any skeleton to forewarn a influenced people whose information was exposed. We did not accept an answer. Companies can face unbending financial and polite penalties for unwell to divulge a cybersecurity incident.

BackNine works with some of America’s largest word carriers. Many of a word applications found in a defenceless bucket were for AIG, TransAmerica, John Hancock, Lincoln Financial Group and Prudential. When reached before to publication, spokespeople for a word giants did not comment.

Read more:

  • Metromile says a website bug let a hacker obtain motorist permit numbers
  • Short seller says Lemonade website bug defenceless word customers’ comment data
  • Geico admits fraudsters stole customers’ driver’s permit numbers for months
  • Thousands of US lab formula and medical annals spilled online after a confidence lapse
  • Zocdoc says ‘programming errors’ exposed entrance to patients’ data

How we shouldn’t hoop your information breach

About the Author