An activist short seller (this is an investor who borrows a security and sells it on the open market, planning to buy it back later for less money) has written a letter to the chief executive of insurance giant Lemonade, highlighting risks to important data.
The letter, which has been viewed and reported by TechCruch, provides details of an “accidentally discovered” security flaw within the system, one that exposes customers’ account data.
Lemonade was established in 2015. The financial firm offers renters’, homeowners’ and pet insurance policies. The company operates across the U.S. and Europe.
The message about the security flaw comes from Carson Block, founder of investment research firm Muddy Waters Research. Block sent the letter to Lemonade co-founder and chief executive Daniel Schreiber, describing the bug that allowed anyone to inadvertently access personally identifiable data from customers’ accounts as “unforgivably negligent.”
Block’s letter said: “By clicking on search results from public search engines, we shockingly found ourselves logged in to and able to edit Lemonade customers’ accounts without having to provide any user credentials whatsoever.”
This means that a serious risk to user’s data exists, as well as the risk of serious fraud occurring. One listed search outcome enabled those so minded to log into an individual’s Lemonade account and access their identify, tackle, and quote particulars. This was without needing to provide a password or any other method of authentication.
Looking at the matter for Digital Journal is Pravin Rasiah, VP of Product, CloudSphere.
Rasiah says: “Without holistic awareness within your IT infrastructure, a security flaw such as this one can exist for an indeterminate amount of time before the issue is flagged.”
With the specific instance, Rasiah says: “In this case, security researchers were the ones to discover Lemonade’s bug, but many businesses may not be so fortunate.”
And in terms of what needs to be considered, Rasiah recommends: “In order to ensure that all gaps in security are addressed and fixed in a timely manner, a cloud governance platform providing comprehensive, real-time observability into the IT infrastructure is essential.”
The consequence of this, Rasiah says, is that: “With guardrails in place, security teams can stay apprised of abnormalities and ensure data remains secure before bad actors can infiltrate or sensitive information is exposed.”