- Claimpix exposed 5.1 million sensitive insurance files on an unsecured public database
- Documents included personal data, vehicle details and internal company registers
- Claimpix limited access and pledged code updates after the researcher warned them
Claimpix, a company that streamlined car insurance requirements, leaked sensitive customer data at Clearweb, including people’s phone numbers and E email addresses, has an expert warned.
Security scientist Jeremiah Fowler, known to hunt misunderstood and unprotected databases, recently found such an example containing 5.1 million files that shared his findings with Websiteplanet.
The archive was 10 TB in size and included documents such as proxy, vehicle registration, estimates, repair invoices and images of damaged vehicles with visible license plates and wine numbers.
Claimpix delicious
The data also included insurance documents with names, mailing addresses, telephone numbers and e emails and registration documents with additional details of vehicles, but also internal documents with conditions, fees and other information that should not be available to the public.
Fowler’s study led him to Claimpix, a hillside, Illinois technology company that provided a self-service photo documentation platform to streamline insurance requirements, injury assessments and remote inspections. It covers several industries, including insurance, car shipment and contracting.
Claimpix is a relatively small, private held organization operating with fewer than 25 employees, and generates approx. $ 5 million in annual revenue. According to some sources, it dealt with more than 25,000 requirements throughout the United States and built partnerships with companies such as Bluestar Corporate Relocation.
Shortly after Fowler reached out, the company limited the database from public access and apologized for the accident.
“We have updated policies and our code to tackle this problem and will make these changes live later tonight,” Claimpix told the researcher.
A few details remain unknown: We do not know if Claimpix is driving this archive or whether the work is outsourced to a third party. We also do not know how long it remained open and if any threat actors gained access to it before it was locked. At the time of the press, there was no evidence that the files were stolen or abused in phishing attacks.
