An unencrypted, non-password-protected database was discovered by Cybersecurity Researcher Jeremiah Fowler, appearing to contain records from ClaimPix, an auto insurance claim filing and management platform. According to the researcher, the exposed database contained 5.1 million files, totaled at 10 TB of data. While it is unknown how long the database was exposed or if malicious actors gained access, insurance organizations are attractive targets for cybercriminals; if the data was accessed, it could lead to cyber risks such as: 

• Spear-phishing 
• Impersonation
• Financial crimes 
• Insurance or automotive ID fraud 
• Targeted social engineering attempts, potentially resulting in identity theft 

In the records observed, personally identifiable information (PII) was exposed that could enable a malicious actor to carry out the aforementioned crimes, such as names, physical addresses, emails, and phone numbers. Furthermore, registration documents were exposed, revealing vehicle data such as the year, make, model, VIN number, and more. 

Approximately 16,000 powers of attorney documents were also exposed, as were internal documents (like software license agreements). 

While the records belong to ClaimPix, it is unclear if the database was owned and operated by the organization or by a third party. The researcher sent a responsible disclosure notice and received the following response: “Thank you for alerting us to the security issues that you mentioned. We have investigated and confirmed your findings. We wanted to respond to you with a plan after we had time to identify the issue and also begin steps to remediate it. We have updated policies and our code to address this issue and will be making those changes live later this evening.”