According to ZDNet, Vertafore is pinning blame for the incident on human error. This apparently occurred after user data was stored on an unsecured external storage service. The files were then accessed by an external party.
The incident, reported in November 2020, is thought to have taken place sometime between March 11 and August 1 during this year. The company has indicated that the exposed data included Texas driver license numbers, names, dates of birth, addresses, and vehicle registration histories. However, social security identifiers and financial account information was not part of the lost database.
In a statement the company says: “Vertafore takes data privacy and security very seriously. The company has safeguards to protect its information and systems, with dedicated internal teams and partnerships with leading external firms” (as quoted by Star Telegram).
Commenting on the incident for Digital Journal is Vinay Sridhara, CTO, Balbix.
Sridhara looks at the background of the incident, considering how it may have happened: “This breach is yet another example of a company leaving a server and critical information unsecured without any protection, an unfortunate trend that has been the cause of many recent breaches.”
With the specific incident Sridhara notes: “About 27.7 million records were exposed by this data breach, including drivers license numbers, names, dates of birth, addresses, and vehicle registration histories. According to a recent report, nearly half (46%) of organizations find it hard to tell which vulnerabilities are real threats versus ones that will never be exploited. This leaves security teams flying blind when it comes to prioritizing risk and leaves organizations vulnerable to unexpected attacks, such as those exploiting a breach at a former third party partner with access to sensitive data.”
Sridhara also says: “While compliance to security laws has become a more daunting task than ever before given the accelerated adoption of new digital services and online tools to support remote workforces, insurers must take steps toward strengthening visibility and quantifying cyber risk.”
With the most important preventative action, Sridhara recommends: “To manage risk across their networks as well as a growing array of partners, organizations must employ tools that can monitor and prioritize vulnerabilities across the entire threat ecosystem, particularly areas with low visibility like user management.”