A security lapse at insurance technology startup BackNine exposed hundreds of thousands of insurance applications after one of its cloud servers was left unprotected on the internet.
BackNine might be a company you’re not familiar with, but it might have processed your personal information if you applied for insurance in the past few years. The California-based company builds back-office software to help bigger insurance carriers sell and maintain life and disability insurance policies. It also offers a white-labeled quote web form for smaller or independent financial planners who sell insurance plans through their own websites.
But one of the company’s storage servers, hosted on Amazon’s cloud, was misconfigured to allow anyone access to the 711,000 files inside, including completed insurance applications that contain highly sensitive personal and medical information on the applicant and their family. It also contained images of individuals’ signatures as well as other internal BackNine files.
Of the documents reviewed, TechCrunch found contact information, like full names, addresses and phone numbers, but also Social Security numbers, medical diagnoses, medications taken and detailed completed questionnaires about an applicant’s health, past and present. Other files included lab and test results, such as blood work and electrocardiograms. Some applications also contained driver’s license numbers.
The exposed documents date back to 2015, and as recently as this month.
Because Amazon storage servers, known as buckets, are private by default, someone with control of the buckets must have changed its permissions to public. None of the data was encrypted.
Security researcher Bob Diachenko found the exposed storage bucket and emailed details of the lapse to the company in early June, but after receiving an initial response, he didn’t hear back and the bucket remained open.
We reached out to BackNine vice president Reid Tattersall, with whom Diachenko was in contact and ignored. TechCrunch, too, was ignored. But within minutes of providing Tattersall — and him only — with the name of the exposed bucket, the data was locked down. TechCrunch has yet to receive a response from Tattersall, or his father Mark, the company’s chief executive, who was copied on a later email.
TechCrunch asked Tattersall if the company has alerted local authorities per state data breach notification laws, or if the company has any plans to notify the affected individuals whose data was exposed. We did not receive an answer. Companies can face stiff financial and civil penalties for failing to disclose a cybersecurity incident.
BackNine works with some of America’s largest insurance carriers. Many of the insurance applications found in the exposed bucket were for AIG, TransAmerica, John Hancock, Lincoln Financial Group and Prudential. When reached prior to publication, spokespeople for the insurance giants did not comment.