A software startup that provides independent insurance brokers with customer management software has exposed highly sensitive information on thousands of insurance policy holders.
A vast cache of data was stored on Amazon S3 storage bucket by AgentRun, a Chicago, Ill.-based company founded in 2012 by Andrew Lech, a former independent insurance broker.
The bucket stored thousands of files of broker clients using the company's platform, including highly sensitive personal information like insurance policy documents, health and medical information, and some financial data.
The bucket wasn't protected with a password and was accessible by anyone.
Andrew Lech, the company's founder, admitted the breach in an email.
"We were migrating to this bucket during an application upgrade and during the migration the permissions on the bucket were erroneously flipped," he said.
The bucket was closed within an hour of disclosure.
The data included detailed insurance policy documents containing names, postal addresses, dates of birth, and phone numbers. In some cases there were also documents revealing an income range, ethnicity, and marital status.
Many of the documents were scans of people's identification documents, including Social Security cards and numbers, Medicare cards, and other documents, such as driver licenses, and armed forces and voter identification cards
Some policy holders also enclosed blank bank checks.
The data also included sensitive health information, including a person's prescriptions, dosages, and costs -- which can identify medical conditions.
Insurance companies found in the data included Cigna, TransAmerica, SafeCo Insurance, Schneider Insurance, Manhattan Life, and Everest -- to name a few.
According to the startup's website, the company claims its service is "secure" and uses the "latest encryption standards" to protect sensitive data, but we found no evidence that any encryption was used on the data stored in the bucket.
Lech said that the company will notify customers and all individuals, whose data was breached.
"We will also be notifying the proper authorities," he said, per state breach notification laws.