Top auto insurance firm leaked over 5 million records - here's what we know

10 hours ago 1

(Image credit: Pixabay)

ClaimPix exposed 5.1 million sensitive insurance files on an unsecured public database
Documents included personal data, vehicle details, and internal company records
ClaimPix restricted access and pledged code updates after researcher alerted them

ClaimPix, a company which streamlines car insurance claims, was leaking sensitive customer data on the clearweb, including people’s phone numbers, and email addresses, an expert has warned.

Security researcher Jeremiah Fowler, known for hunting down misconfigured and unprotected databases, recently found one such instance containing 5.1 million files, sharing his findings with WebsitePlanet.

The archive was 10TB in size, and included documents such as power of attorney, vehicle registration, estimates, repair invoices, and images of damaged vehicles with visible license plates and VIN numbers.

ClaimPix leaks

The data also included insurance documents with names, postal addresses, phone numbers, and emails, and registration documents with additional details about vehicles, but also internal documents with terms, fees, and other information that should not be available to the general public.

Fowler’s investigation led him to ClaimPix, a Hillside, Illinois technology company providing a self-service photo documentation platform to streamline insurance claims, damage assessments, and remote inspections. It covers multiple industries including insurance, car shipping, and contracting.

ClaimPix is a relatively small, privately-held organization, that operates with fewer than 25 employees, and generates roughly $5 million in annual revenue. According to some sources, it processed more than 25,000 claims across the United States, and built partnerships with firms like Bluestar Corporate Relocation.

Soon after Fowler reached out, the company restricted the database from public access, and apologized for the mishap.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“We have updated policies and our code to address this issue and will be making those changes live later this evening,” ClaimPix told the researcher.

A few details remain unknown: we don’t know if ClaimPix operates this archive, or if the work is outsourced to a third party. We also don’t know for how long it remained open, and if any threat actors accessed it before it was locked down. At press time, there was no evidence that the files were stolen or abused in phishing attacks.

Data center firm leaks massive 38GB database containing thousands of personal records online
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article