InfoSecBulletin Cybersecurity for mankind
Cybersecurity researcher Jeremiah Fowler discovered a large, unprotected database with sensitive insurance and vehicle information. It contained over 5.1 million files, totaling 10TB, including powers of attorney, vehicle registrations, repair invoices, and images of damaged vehicles showing license plates and VIN numbers.
According to Fowler, “The publicly exposed database was not password-protected or encrypted. It contained 5,170,256 files and images.”
Auto Insurance Platform Exposed Over 5 Million Records
Cisco Unveils New PlugX Backdoor Linked to Chinese APTs
Malaysia: Submarine Cable to Strengthen APAC Digital Backbone
U.S. Secret Service Seizes 100K Cards and 300 SIM Servers network
Massive 22.2 Tbps DDoS Attack Sets New World Record
Microsoft to Build the “World’s Most Powerful AI Data Center”
Fraudsters swipe Tk 27 lakh from SCB cardholders
EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State
First-ever AI-powered ‘MalTerminal’ Malware Uses OpenAI GPT-4 to Generate Code
Gmail Data exposes via ChatGPT Deep Research Agent dubbed “ShadowLeak Zero-Click” Flaw
A sampling of these files revealed a wide range of personally identifiable information (PII):
Names, physical addresses, phone numbers, and emails.
Registration documents with VINs, vehicle year, make, and model.
Nearly 16,000 powers of attorney documents granting legal authority to transfer or assign titles, some even including the IP addresses of individuals who signed them electronically.
Fowler discovered internal documents, including software licenses and sensitive business records that were improperly exposed.
The exposed data appeared to belong to Illinois-based ClaimPix, a platform used across the U.S. for managing and filing auto insurance claims. Fowler explained, “Information inside the database (and the name of the database itself) indicated the records belonged to Illinois-based ClaimPix… I immediately sent a responsible disclosure notice to ClaimPix, and the database was restricted from public access shortly after.”
It is still unknown if the data was exposed for a long time or accessed by unauthorized users before being fixed.
The type of data exposed poses severe risks of fraud and identity theft. Fowler warned, “The exposure of personal data, insurance information, and even identification documents pose numerous potential risks both online and offline.”
For example:
VIN cloning: using stolen VINs to illegally register stolen or salvaged cars.
Insurance fraud: impersonating policyholders to file fraudulent claims or intercept payouts.
Impersonation attacks: exploiting powers of attorney to transfer vehicle ownership without the owner’s knowledge.
Fowler noted that criminals can merge data from different people to create fake identities for fraud.
Following Fowler’s disclosure, ClaimPix responded: “Thank you for alerting us to the security issues that you mentioned. We have investigated and confirmed your findings… We have updated policies and our code to address this issue and will be making those changes live later this evening.”
Fowler advises that, “companies in the insurance industry… encrypt all sensitive data… enforce access controls with multi-factor authentication… and perform regular audits of cloud storage systems to ensure they restrict public access.”
