In a blow to consumer privacy that recalls previous breaches in the credit repair and marketing industries, the UpGuard Cyber Risk Team can now disclose that the Maryland Joint Insurance Association (JIA), a private-sector program providing property insurance in the state, exposed personally identifiable information for thousands of individuals to the public internet via a misconfigured storage device. This data exposure once again underscores the ease with which highly sensitive, personally identifiable information can leak online - in this instance, through an open port on an internet-connected device.
Revealed within the exposed data repository is a backup of JIA customer files and claims, containing such information as customer names, addresses, phone numbers, birth dates, and full Social Security numbers, as well as financial data such as check images, full bank account numbers, and insurance policy numbers. Beyond this critical customer information, the leak also reveals an array of internal access credentials used to manage and administer MDJIA’s operations, including remote desktop, email, and third-party partner usernames and passwords.
With one misconfiguration capable of spelling the difference between data integrity and disaster, it is imperative that enterprises devote sufficient resources to processes that consistently safeguard their data. The presence in the repository of access credentials to external platforms further highlights the potential dangers faced by third-party vendors sharing information with business partners.
On January 19th, 2018, UpGuard Director of Cyber Risk Research Chris Vickery notified the Maryland JIA that he had discovered an unsecured network-attached storage (NAS) device belonging to the insurance group. Connected to the public internet and accessible through an open port, the device contained highly sensitive information critical to MDJIA’s IT operations, divided between two sections - “BBackup,” an environment containing a vast repository of insurance customer and claimant data, and “Share,” a folder containing credentials and data for multiple internal administrative users.
The BBackup and Share folders.
Put together, the exposed data provides deep insight into the workings of the Maryland Joint Insurance Association, a distinct type of state-mandated insurance program that, as its website clarifies, “is not a state agency nor do any of its operating funds come from the state.” The Maryland JIA, along with similar organizations in dozens of other states, originates from the passage of federal regulations for property insurance known as FAIR (Fair Access to Insurance Requirements).
What is a FAIR property insurance policy, and how do organizations like the Maryland JIA provide them? FAIR policies work to protect property owners with a history of filing claims on their insurance, or who live in areas that face a strong likelihood of natural disaster or property damage. Left to find coverage on the open market, many such property owners would be unable to secure a policy, being considered risky bets by insurers. FAIR policies thus provide an affordable baseline of coverage to these most vulnerable owners who might otherwise be denied any other insurance. While state insurance associations like the Maryland JIA are not public agencies, state governments mandate that private insurers fund FAIR “shared market plan” insurance coverage, with any earnings from payments invested back into program. As such, per the MDJIA’s website, this pool of insurers “is comprised of all voluntary market insurance companies which are licensed and writing basic property insurance, homeowners insurance and property insurance components of multi-peril policies in the State of Maryland.”
In Maryland, this means that insurers operating in the state all contribute toward the JIA, which in turn helps the state’s most vulnerable property owners attain coverage. Unfortunately, with the exposure of a backup subfolder folder labeled as “Live,” thousands of these same vulnerable customers were exposed through this unsecured storage device.
The interior of the "Live" subfolder.
The “BBackup” section contains an enormous variety of files, all servicing the customer-facing side of JIA’s IT operations, from applications to contracts to claims. As such, this data contains a great deal of personally identifiable information compiled during the course of applications for coverage and the filing of claims. One 60 GB folder, “appgen,” contains ten subfolders and over one hundred and seventy-five thousand files from 2012 to the present day. One such subfolder, titled “DU,” contains one hundred and forty-nine thousand files, compiling such information as applicant names, addresses, and phone numbers.
A sensitive MDJIA internal customer document.
Property inspection reports and claim submission materials, such as photos of damaged properties, provide further private details about customers. Most troubling, however, is the presence in “appgen” of full Social Security numbers, alongside such information as insurance policy numbers and check images revealing full bank account numbers.
An insurance document containing highly sensitive applicant information.
The operational section of the repository, “Share,” contains similarly sensitive information about the administration of Maryland JIA’s IT assets. Lists of internal passwords, including for JIA email addresses, are stored in plaintext within the folder, as is a screenshot of TeamViewer remote desktop access credentials.
MDJIA's ISO ClaimSearch access credentials.
Potentially more damaging is the exposure of MDJIA access credentials for ISO ClaimSearch, a third-party insurance database offered by Verisk Analytics and containing “tens of millions of reports on individual insurance claims” for industry professionals - a likely treasure trove of personally identifiable information if accessed by a malicious actor.
This exposure of highly sensitive personal information for thousands of insurance customers, as well as critical access credentials used within the Maryland Joint Insurance Association’s operations, constitute a serious leak of personally identifiable information and access keys that could be easily used to victimize affected individuals. This leak provides further proof that cyber risk is an increasingly powerful force which institutions must devote serious time and energy to mitigating - or risk devastating data exposures which could seriously endanger individuals and enterprises alike.
The disclosure of names, addresses, phone numbers, and, in particular, full Social Security numbers, opens up thousands of Maryland residents to the plausible prospect of identity theft, were the repository to fall into the hands of malicious actors. The presence of this information in combination with full bank account and insurance policy numbers provides ample material for account fraud, financial attacks, and perhaps even insurance fraud.
All of these threats are especially damaging in light of the individuals affected: the most vulnerable property owners in Maryland, likely unable to secure insurance through any other provider but the Joint Insurance Association. Maryland’s updated breach notification law mandates notification to affected consumers, provided internal investigation “shows that there is a reasonable chance that the data will be misused.” While there is no way for the UpGuard Cyber Risk Team to determine whether any malicious actors accessed this information, or whether such law applies in this case, what is certain is that it is always crucial that enterprises swiftly notify affected individuals and remain transparent.
The leak of internal credentials within JIA could, in the hands of criminals, be used to further compromise other systems, possibly uncovering more critical data. Access to JIA email accounts could enable malicious actors to pose as the firm, thereby extracting more sensitive information from applicants and insurees. The inclusion of login details for the ClaimSearch database, and the danger that millions more insurance records could have been accessed and misused, is also a prime example of how third-party vendor risk can be realized, extending cyber risk well beyond one entity and exposing other partner businesses.