A private sector programme that provides property insurance in the US state of Maryland has left the data of thousands on an unsecured network attached storage device, exposing customer files, claims, addresses, phone numbers, birth dates and Social Security numbers.
The security firm UpGuard said the Maryland Joint Insurance Association had left the NAS device connected to the Internet and publicly accessible through an open port.
UpGuard's director of Cyber Risk Research Chris Vickery made the discovery on 19 January, something of a departure for him as a large number of his findings in the past have been of unsecured Amazon Web Service S3 buckets.
In a detailed blog post, UpGuard's cyber resilience analyst Dan O'Sullivan said the device contained "highly sensitive information critical to MDJIA’s IT operations, divided between two sections – 'BBackup', an environment containing a vast repository of insurance customer and claimant data, and 'Share', a folder containing credentials and data for multiple internal administrative users".
{loadposition sam08}The MDJIA is not a state body and the funds it uses do not come from the state. It exists because of US federal property insurance laws known as Fair Access to Insurance Requirements.
Policies from FAIR are meant to protect property holders who file frequent claims or who are in areas prone to natural disasters; they would find it prohibitively expensive to approach regular insurers. All insurers in Maryland contribute towards the running costs of MDJIA.
UpGuard said the "BBackup" folder contained a massive amount of personally identifiable information. One 60 GB folder, “appgen,” contained 10 sub-folders and more than 175,000 files dating from 2012. One sub-folder, titled 'DU', had 149,000 files containing applicants' names, addresses, and phone numbers.
"Property inspection reports and claim submission materials, such as photos of damaged properties, provide further private details about customers," O'Sullivan wrote.
"Most troubling, however, is the presence in 'appgen' of full Social Security numbers, alongside such information as insurance policy numbers and check images revealing full bank account numbers."
Also available in the exposed NAS device were MDJIA's access credentials for ISO ClaimSearch, "third-party insurance database offered by Verisk Analytics and containing 'tens of millions of reports on individual insurance claims' for industry professionals - a likely treasure trove of personally identifiable information if accessed by a malicious actor".
The data breach laws in Maryland stipulate that affected individuals should be told about breaches, provided that internal investigations have shown there is a reasonable chance that the leaked data will be misused.
UpGuard normally indicates that the company or organisation that is involved has been informed about the breach and has taken steps to secure the exposed site or device; in this report, no mention was made of when the device was secured, which one assumes it was.
In the past, UpGuard has found misconfigured Amazon Web Services S3 buckets leaking data from Paris-based brand marketing company Octoly, California data analytics firm Alteryx, credit repair service National Credit Federation, the NSA, the Pentagon, global corporate consulting and management firm Accenture, publisher Dow Jones, a Chicago voter database, a North Carolina security firm, and a contractor for the US National Republican Committee.
Screenshot: courtesy UpGuard