BackNine, an insurance tech startup, has exposed hundreds of thousands of insurance applications after leaving a misconfigured Amazon cloud server unprotected online. It appears that one of the company’s storage servers, hosted on Amazon’s cloud, was misconfigured to allow anyone access to the 711,000 files inside.
In terms of the implications, the server contained insurance applicants’ personal and medical data, including full names, addresses, phone numbers, social security numbers, medical diagnoses, medications taken, and lab results. Researchers believe someone changed the bucket’s permission from private to public, however none of the data was encrypted. The data was secured after researchers notified the company.
Looking at the situation for Digital Journal is Anurag Kahol, CTO and co-founder of Bitglass.
According to Kahol, cloud security is vulnerable: “Gartner predicts that 99 percent of cloud security failures will be due to human error through 2025, and this incident is a prime example of human error causing the exposure of highly sensitive personally identifiable information (PII) — hundreds of thousands of records including names, addresses, phone numbers and social security numbers.”
Kahol identifies a common error made by many firms: “A simple mistake such as changing bucket permissions from private to public can lead to significant financial and personal damage for both the organization and its impacted customers.”
This is a serious subject the businesses need to actively engage with, according to Kahol: “Organizations responsible for PII can’t afford to leave room for human error when it comes to their security strategies.”
In terms of immediate actions, he recommends: “They must leverage multi-faceted and robust cybersecurity platforms that include cloud security posture management (CSPM), data loss prevention (DLP), multi-factor authentication (MFA), and user and entity behavior analytics (UEBA).”
Kahol adds: “Secure Access Service Edge (SASE) platforms deliver end-to-end protection for data in sanctioned cloud resources, and are essential in any zero trust framework. Taking a proactive, automated approach to defending data in real time is critical.”