Insurance startup leaks sensitive customer health data

A software startup that provides independent insurance brokers with customer management software has exposed highly sensitive information on thousands of insurance policy holders. A vast cache of data was stored on Amazon S3 storage bucket by AgentRun, a Chicago, Ill.-based company founded in 2012 by Andrew Lech, a former independent insurance broker.

The bucket stored thousands of files of broker clients using the company’s platform, including highly sensitive personal information like insurance policy documents, health and medical information, and some financial data. The bucket wasn’t protected with a password and was accessible by anyone. Andrew Lech, the company’s founder, admitted the breach in an email.

Read more about the unintentional leak of sensitive customer health data by AgentRun on ZDNet.

We view this type of vulnerability, the configuration error, to be one of the most serious. This is why configuration needs to be independently checked.

For independent assessments of your security posture contact us at OODA LLC and ask about our CISO-as-a-Service offering.