BackNine – an insurtech start-up that creates back-office software for some of the biggest names in insurance – may have left hundreds of thousands of insurance applications unsecured for anyone to access.
One of the company’s storage servers hosted on Amazon’s cloud was misconfigured, enabling anyone to access the 711,000 files managed by BackNine. TechCrunch reported that the files included completed insurance applications with sensitive personal and medical information on applicants and their families.
The information potentially leaked include applicants’ full names, addresses, phone numbers, social security numbers, medical diagnoses, medication histories, lab and test results, as well as completed questionnaires about the applicant’s health. Some of the applications also had driver’s license numbers.
In addition to the personal files, the unsecured storage also contained images of individuals’ signatures and other BackNine internal files. The exposed documents date back to 2015, and as recently as this month. None of the data was encrypted.
TechCrunch noted that Amazon storage servers are private by default; it is suspected that someone with control of the servers changed its permissions to public.
BackNine works with several major insurance carriers. Many of the insurance applications found in the exposed server were for AIG, John Hancock, Lincoln Financial Group, Prudential, and TransAmerica.