An Insurtech Startup Exposed Thousands of Sensitive Insurance Applications

Insurance technology startup Backnain has uncovered thousands of insurance applications after a secure issue left one of its cloud servers secure on the Internet. Back nine maybe a company you are not familiar with, but it can process your personal information if you have applied for insurance in the past few years.

The California-based company develops back-office software to help large insurance carriers sell and maintain life and disability insurance policies. It provides a white-labeled quote web form for small or individual financial planners who sell insurance plans through their own websites. However, one of the company’s storage servers, hosted on Amazon’s cloud, was incorrectly configured to allow a person access to 711,000 files of internal insurance, which contains highly sensitive personal and medical information on the applicant and his family. There are also images of files.

Among the documents reviewed, TechCrunch found contact information such as full name, address, and phone numbers, but contains detailed questionnaires about Social Security numbers, diagnostics, medication and health, past and present of any applicant. Other files included lab and test results such as blood work and electrocardiogram. Some applications also had a driver’s license number. The open documents are from 2015 and end this month as well. Since Amazon storage servers, known as buckets, are private by default, anyone under the control of the buckets must change its permissions to the public. None of the data is encrypted.

Security researcher Bob Diachenko found the empty stroke bucket and emailed information in the gap near the agency in early June, but after receiving initial feedback, he no longer listened and the bucket remained open. We reached out to Beckenbauer Vice President Red Tetersal, whom Diachenko contacted and ignored. TechCrunch was also ignored. However, the data was locked with the name of the bucket published by Tetersell – and only him -. TechCrunch has not yet received a response from Tatarsal, or its father Mark, the company’s chief executive, who copied the following email.

TechCrunch asked Tatarsal if the company had alerted local authorities under state data breaches law, or if the company had any plans to notify victims whose information was leaked. We didn’t get any answers. Companies can face severe financial and civil penalties for failing to disclose a cybersecurity incident.