A substantial cache of data belonging to ClaimPix, an Illinois-based auto insurance claims management platform, has recently been identified as being publicly exposed online without any security measures.
Cybersecurity researcher Jeremiah Fowler uncovered a database comprising over 5.1 million files—equating to a staggering 10.7 terabytes—completely unprotected by passwords and devoid of encryption. This discovery was reported by Website Planet and subsequently highlighted on Hackread.com.
Millions of Records Left Unprotected
The unprotected database was found to contain personal identifiable information (PII). In a preliminary review of a subset of the files, Fowler identified sensitive insurance documents that included customer names, home addresses, phone numbers, and email addresses. Additionally, the database held more perilous documents such as official vehicle registrations, repair invoices, and imagery of damaged vehicles, all prominently displaying license plates and Vehicle Identification Numbers (VINs).
Moreover, the database encompassed internal documents from the company, including sensitive software licensing agreements. This extensive exposure highlighted detailed vehicle information, including year, make, and model, significantly amplifying the data’s potential impact.
The Threat of Impersonation and Fraud
Among the most concerning revelations were approximately 16,000 Power of Attorney (POA) documents. These documents delegate legal authority to another individual to manage vehicle transactions on behalf of the owner. Given that these POAs were electronically signed and contained the signer’s IP addresses, they present a significant risk of misuse.
Criminals could exploit this wealth of personal information combined with legal authority for identity theft, financial fraud, or even fabricating entirely new identities. The exposure of VINs and license plate numbers opens up avenues for “vehicle cloning,” a fraudulent activity mirroring the tactics of identity theft, as described by Fowler in the blog post.
ClaimPix has recognized the gravity of this incident. Following a responsible disclosure from Fowler, the company acted swiftly to secure the database, asserting, “We have investigated and confirmed your findings.” They also reported that they have updated their policies and code to mitigate future risks and plan to implement these changes immediately. Maintaining the integrity of customer data moving forward is undoubtedly a positive development.
Nevertheless, it remains unclear whether ClaimPix directly managed the database or whether it was overseen by a third-party vendor, and the duration of the data’s exposure is still largely unknown. This incident underscores the critical need for robust cybersecurity measures in today’s digital landscape.
