Unprotected Kafka stream at insurtech firm Companjon exposes millions of data records

Companjon, a Dublin-based insurance technology company that provides B2B2C insurance services for major European travel platforms, exposed an unsecured Apache Kafka stream that leaked millions of real-time data logs containing travel itineraries, personal information, and sensitive partner interactions. The issue remained active for weeks before being secured in late November.

The exposed instance, discovered in late August, streamed millions of records over several hours. Kafka processes only live data, but activity observed over seven days showed more than 15 million records passing through two topics, indicating that the total volume during the exposure period may have reached an estimated 960 million logs. The investigation continues to assess the full scope of the leak.

More than 15,000 records included personally identifiable information such as full names and email addresses, representing roughly 0.1 percent of the exposed dataset. The majority of logs involved travel and financial data without direct identifiers, but they included authorization tokens and detailed interactions with major travel partners such as Trainline, Omio, and TripX. Researchers found that the accessible data window spanned from August 20 to August 28, with fresh records appearing just hours before the exposure was remediated.

The leaked content included highly specific future travel itineraries, revealing exact routes, carriers, and dates for trips planned into 2026. The combination of personal, financial, location, and upcoming travel details creates opportunities for targeted fraud, including impersonation schemes involving hotels or travel providers.

Companjon’s business model involves working with travel agencies and digital commerce platforms that rely on the company to deliver insurance services using end-user data. Although La Mobilière, Companjon’s parent company, announced in July that it would wind down the insurtech’s operations to refocus on its core business, Companjon continues to service existing insurance products, leaving ongoing customer exposure risks until the issue is fully resolved.