top of page

Massive Auto Insurance Data Leak Exposes Over 250k Sensitive Documents, Warns Cybersecurity Research

Updated: Oct 6, 2023

Jeremiah Fowler, a cybersecurity researcher, has uncovered a troubling data breach involving a non-password protected database containing over 250,000 documents related to auto insurance policies. The exposed documents contained highly sensitive personal identifiable information (PII) and were found by Fowler, who promptly reported the incident to vpnMentor.


Within the unsecured database, Fowler discovered an array of alarming documents, including vehicle registrations, division of motor vehicle registration applications, certificate of insurance cards, vehicle titles, driver's licenses, state Medicaid health coverage cards, and more. All the policies examined by Fowler were associated with USA Underwriters as the primary insurer. Despite immediately notifying USA Underwriters via multiple emails, Fowler received no response. He eventually managed to reach someone at the company by phone, urging them to address the data exposure. Approximately two hours later, the database was finally secured and access restricted, but it had been left vulnerable for at least two weeks prior to Fowler's discovery.


The situation took an unexpected turn when Fowler received a voicemail the following morning from an individual claiming to be a detective from the Detroit Police, seeking to ask him a few questions. Suspicious of the call, Fowler conducted a LinkedIn search using the detective's name and phone number, leading him to a profile matching the name of a USA Underwriters employee. Subsequent calls to the provided number resulted in consistent denials of any affiliation with USA Underwriters.


During these conversations, the person mentioned a third-party vendor named RateForce as the owner of the exposed database. This coincided with the database's listing as "RF******Prod" (redacted for security reasons). RateForce specializes in online car insurance quote comparison and holds an impressive track record, ranking as the #2 fastest-growing private insurance company in the Inc. 5000 list for 2021.


The compromised records contained a significant number of independent insurance agents who had sold the policies, with documents originating from agencies and car dealerships involved in obtaining insurance for their customers. Fowler's preliminary analysis indicated the presence of identification documents from thousands of individuals, predominantly from Michigan, but also including licenses from Georgia, Arizona, and Virginia. Further investigation is required to determine if residents from other states were affected among the 255,000+ exposed documents.


Numerous insurance companies were referenced in the breached records, such as Gainsco Insurance (owned by State Farm), Progressive, Excepsure, Cimarron, L.A. Insurance, and more. Notably, all policies were underwritten by USA Underwriters, initially leading Fowler to believe the exposed database belonged to them. However, it was later confirmed that the database was owned by RateForce. Fowler clarifies that he does not insinuate any wrongdoing on the part of USA Underwriters, RateForce, or Samarpan Infotech, who manages RateForce's network and infrastructure. Rather, he aims to raise awareness about the discovery and the potential risks associated with the exposed data, urging affected individuals to stay vigilant against possible identity theft and fraudulent activities.


This data leak exposes auto insurance policyholders to various risks, including identity theft, auto insurance fraud, and misuse of sensitive information. Personal details within the breached records encompassed customer and applicant names, home addresses, phone numbers, driver's license numbers, vehicle identification numbers (VINs), and insurance policy details. Some documents contained additional personal data, such as social security numbers and financial information.


Auto insurance companies bear the responsibility of safeguarding their customers' personal information and promptly notifying them in the event of a data breach. Affected individuals are advised to regularly monitor their credit reports for suspicious activity, consider placing fraud alerts, and explore identity theft protection services for additional safeguards.


Fowler emphasizes the importance for organizations that collect and store sensitive customer data to prioritize security measures, including encryption and restricted access. He also highlights the need for effective internal communication channels to promptly address data incidents and ensure responsible disclosure notices are appropriately addressed, reducing exposure time and securing sensitive information swiftly.

Comments


bottom of page