14 DAY TRIAL // A Texas-based tech aficionado accidentally stumbled over GBs of data belonging to multiple insurance claims companies stored on an unprotected AWS (Amazon Web Services) server accessible via a public subdomain.
After downloading and realizing what he uncovered, he immediately contacted the companies involved, which, in about 30 minutes, took down the AWS subdomain responsible for the leak.
Over 1.5 million user details, 3 million payment details leaked
As this unknown source, later identified by Gizmodo as Chris Vickery, told Office of Inadequate Security, much of the data belonged to the Kansas State Self Insurance Fund, containing 1,099,000 database entries that revealed information like names, addresses, social security numbers, tax ID numbers, phone numbers, state, and ZIP code.
Vickery also found 3 million payment details belonging to the CSAC Excess Insurance Authority (CSAC-EIA) customers, and an additional 570,000 detailed user entries containing info like names, social security numbers, phone numbers, addresses, ethnicity, city, state, ZIP code, and birth date.
But this wasn't it. The ZIP files he downloaded from the AWS server also contained thousands of scanned PDF insurance claims all belonging to the Golden State Risk Management Authority, an insurance pool from Northern California.
Other smaller databases were found containing user details from American All-Risk Loss Administrators (AARLA)/Risico, Millers Mutual Group, and Crosswalk Claims Management.
Systema Software is responsible for the leak
Responsible for operating the server was Systema Software, a software company that provides solutions for managing small insurance and medical claims.
Vickery also claims he found a lot of proprietary software inside of the AWS leak, which Systema's "competitors would love to get their hands on."
At the moment of this article, none of the involved companies has published a statement about the incident on their sites, and nor has Systema Software.
In an email to Gizmodo, System representatives said they could confirm that only Vickery downloaded the data, and he is scheduled to meet with the Texas Attorney General so he can properly wipe all the data he downloaded from his computer.