Insurance software provider Vertafore exposed PII of 27.7m US citizens

Driver license numbers and other personal details of as many as 27.7 million U.S. citizens were compromised earlier this year after an employee at insurance software provider Vertafore stored internal data files in an unsecured external storage service that was then accessed by third parties.

The massive breach of the personal information of millions of people was disclosed by Vertafore in a data incident notification in which the firm said that the incident resulted in the compromise of Texas driver license numbers, as well as names, dates of birth, addresses, and vehicle registration histories of approximately 27.7 million people.

The firm said these details were stored in three data files that were inadvertently stored in an unsecured external storage service that appears to have been accessed without authorisation. The compromised data files were maintained to support a specific product within Vertafore’s insurance rating solutions but did not contain social security numbers or peoples' financial information.

"In mid-August, Vertafore determined that, at some point between March 11 and August 1 of this year, there was a potential unauthorized access to the three data files. The files, which included driver information for licenses issued before February 2019, contained Texas driver license numbers, as well as names, dates of birth, addresses, and vehicle registration histories. They did not contain any Social Security numbers or financial account information," the company said.

"Vertafore immediately engaged a leading intelligence firm to search for evidence indicating potential misuse of this information in connection with this event. Although that firm did not find any evidence, to be considerate of all Texas driver license recipients and out of an abundance of caution, Vertafore is offering them one year of free credit monitoring and identity restoration services in recognition that these services offer valuable protection in other contexts beyond this event."

The insurance software provider added that it was alerted about the security incident by a trusted third party, following which it immediately secured the potentially affected files and reported the incident to the Texas Attorney General, Texas Department of Public Safety, Texas Department of Motor Vehicles, and U.S. federal law enforcement.

It may concern many people as to why a software solutions provider needs to store and process the personally-identifiable information of millions of people. Here's what Vertafore said in response:

"The data was maintained to support some of Vertafore’s insurance rating solutions. Vertafore is a software solutions partner for independent insurance agencies and brokers, managing general agents (MGAs) and the companies that provide your insurance coverage (carriers) to help them better manage their businesses. Vertafore uses this data to help them accurately rate dozens of carriers in less time than it takes to generate a quote through a single carrier website."

Commenting on the massive breach of Texas driver records, Trevor Morgan, Product Manager at comforte AG, said the Vertafore data breach, in which the personally identifiable information of millions of Texas drivers was revealed, reinforces the weaknesses inherent in a perimeter-only strategy.

"The breach was reported to have occurred due to the sensitive data being transferred to an unsecured external storage device. If that data itself had been secured, rather than relying on the security mechanisms of the storage device or the perimeter around it (or lack thereof), then the data essentially would be useless to anybody trying to leverage the stolen information.

"This style of defence, known as data-centric security, includes methods such as tokenization, which replaces sensitive information with meaningless representational tokens. The best part is that data-centric security travels with the data, so even if it winds up in an unsecured location, as happened in the Vertafore breach, peoples’ most sensitive personal information will still be protected," he added.

In September this year, security researcher Bob Diachenko also discovered a misconfigured Amazon Web Services S3 bucket that contained photos of driving licences of around 54,000 Australian citizens. The photos contained detailed personal information such as names, dates of birth, driving licence numbers, and home addresses.

ABC News quoted Diachenko to state that the AWS S3 bucket was easily discoverable, contained as many as 108,535 back-and-front scans of driving licences of drivers who registered in New South Wales and was probably viewed and abused by malicious actors.

Copyright Lyonsdown Limited 2020