Insurance technology startup BackNine reportedly allowed a server exposure, leaking 711,000 insurance applications. An incorrect cloud configuration left a server exposed on the internet.
Security researcher Bob Diachenko found the exposed storage bucket. However, after informing the startup in June, they failed to follow up after their initial response to him. Diachenko stated on Twitter that a company executive was informed of the security exposure but ignored the message; the server remained open and exposed. In fact, according to TechCrunch, the company refused to answer emails inquiring into data breach disclosure procedures, including whether they might inform potential victims. After TechCrunch provided the name of the exposed server, BackNine did finally close it.
The data exposed by the BackNine cloud server exposure includes contact information, Social Security Numbers, medical diagnoses, medications, health questionnaires, driver’s licenses, and lab results.
BackNine works with some of the largest insurance companies in the United States. We spoke to multiple cybersecurity experts to learn more. Here’s what they had to say.
BackNine Server Exposure: Expert Commentary
Trevor Morgan is Product Manager at comforte AG.
“The report that BackNine accidentally leaked highly sensitive information due to a misconfigured cloud server underscores a valuable point. In many instances, simple human error rather than brute force by threat actors sets the stage for incidents like these. Often, focusing on the culture of data privacy within the organization can have a positive effect and help avoid these types of situations. Employees need to feel that data security is a higher priority than speed or just getting the next task done. Better processes, better checks and balances, and above all strong data-centric security such as tokenization, which protects the data itself rather than the perimeters around that data, all contribute to a healthy culture of data privacy.”
Eric Kron is a Security Awareness Advocate at KnowBe4.
“Unfortunately, this is another example of what is likely a human error when securing data on a cloud platform, resulting in the exposure of sensitive information for a considerable number of people. The organization’s lack of response to a notification about the issue from a security researcher nearly a month ago, and the current lack of response to media inquiries is surprising. Organizations that handle hundreds of thousands of documents containing sensitive information, including this health-related data provided as part of the insurance application process, would be wise to take reports of this type of data exposure seriously and have a process by which to quickly respond and secure the data.
In addition, regulations around the handling of data such as this typically require it to be encrypted; however, it appears that also was not the case. Had the data been encrypted, this would not have been a significant incident as the sensitive information could not have been read, making the data useless to cyber-criminals.
While the data was discovered as being exposed on the internet, it does not mean cyber-criminals have accessed the data, however, because it will likely be impossible to prove otherwise, it must be assumed to have been stolen. It is likely that the organization will face stiff penalties from regulators and likely lawsuits related to the mishandling of the data. Silence about the issue may further erode trust. Best practices would be to acknowledge the issue and be as transparent about what has happened as possible, even if they do not have all of the answers at this time.”
Stephan Chenette is Co-Founder and CTO at AttackIQ.
“It doesn’t take much for outsiders to find unsecured databases and access sensitive information. This situation highlights the complexity and far-reaching damage of a B2B data leak that not only impacts BackNine itself but also its customers, who are some of America’s largest insurance carriers that rely on its services to keep their operations moving forward.
It also serves as an important reminder that an organization’s reputation is tied to the data breaches of the third parties they choose to work with. It is likely that all organizations involved will suffer reputational damage, legal consequences, and loss of business. That is why it is in the best interest of every organization to ensure their third parties validate their own security controls and configurations.
The mistake or overlooked security measure that led to this breach was most likely a very simple one that could have been prevented. AWS buckets are private by default, so someone with control of those buckets must have changed its permissions to the public.
Organizations must take proactive approaches to protect their data. This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats. They should also employ continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses.”
Thanks to the experts for their time and expertise on the BackNine server exposure. For more, check out the Solutions Review SIEM Buyer’s Guide.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021