Insurtech Data Breach: Thousands of Insurance Applications Exposed

Data Breach Exposes Sensitive Insurance Information at BackNine

A significant security vulnerability at BackNine, an insurance technology firm, resulted in the exposure of hundreds of thousands of insurance applications. This occurred due to an improperly secured cloud server accessible via the internet.

About BackNine and the Scope of the Breach

While potentially unfamiliar to many, BackNine processes personal data from individuals applying for insurance. The California-based company develops software solutions for larger insurance providers, aiding in the sales and management of life and disability insurance policies.

Furthermore, they provide a customizable quote form for independent financial planners who distribute insurance through their own websites. A storage server hosted on Amazon’s cloud platform was misconfigured, granting public access to approximately 711,000 files.

Details of the Exposed Data

These files encompassed completed insurance applications containing highly confidential personal and medical details concerning applicants and their families. The exposed data also included images of signatures and other internal BackNine documents.

Review of the documents revealed a wide range of sensitive information. This included full names, addresses, phone numbers, Social Security numbers, medical diagnoses, current medications, and comprehensive health questionnaires detailing past and present health conditions.

Lab results, such as blood work and electrocardiograms, were also present. In some instances, driver’s license numbers were included within the exposed applications.

Timeline and Cause of the Exposure

The compromised documents date back to 2015, with data as recent as the current month being accessible. Amazon storage servers, referred to as buckets, are inherently private.

The public accessibility was a result of altered permissions by someone with administrative control over the bucket. Critically, the data was not protected by encryption.

Discovery and Response

Security researcher Bob Diachenko discovered the exposed storage bucket in early June and promptly notified BackNine. Despite an initial acknowledgment, he received no further communication, and the vulnerability remained unaddressed.

Attempts to reach BackNine Vice President Reid Tattersall, who had been in contact with Diachenko, were unsuccessful. TechCrunch also experienced a lack of response.

However, upon receiving the specific name of the exposed bucket, the data was immediately secured. Neither Tattersall nor his father, Mark Tattersall, the company’s CEO, responded to subsequent inquiries.

Compliance and Affected Companies

TechCrunch inquired whether BackNine had notified relevant authorities as required by state data breach notification laws, and if they planned to inform affected individuals. No response was provided.

Failure to disclose a cybersecurity incident can result in substantial financial and legal penalties. BackNine collaborates with major U.S. insurance carriers, including AIG, TransAmerica, John Hancock, Lincoln Financial Group, and Prudential.

Spokespeople for these insurance companies declined to comment when contacted prior to publication.