Insurance startup AgentRun accidentally leaks customers' personal and health information in cloud configuration error
AgentRun, a software startup that provides customer management software for independent insurance brokers, has accidentally exposed sensitive personal and medical information of thousands of insurance policy holders. The data breach was caused due to a misconfigured AWS S3 storage bucket that was left without password protection and publicly accessible to anyone. The storage bucket contained a trove of sensitive files of broker clients insurance policy documents, health and medical information and some financial data.
AgentRun CEO Andrew Lech confirmed the breach in an email to ZDNet.
"We were migrating to this bucket during an application upgrade and during the migration, the permissions on the bucket were erroneously flipped," Lech wrote. He added that the company will be notifying customers, all affected individuals and “proper authorities” of the breach.
The misconfigured bucket contained information on thousands of customers of major insurance companies such as Cigna, TransAmerica, Manhattan Life, SafeCo Insurance, Schneider Insurance and Everest. The exposed insurance policy documents contained customers’ names, postal addresses, dates of birth, phone numbers and,in some cases, income range, , ethnicity, marital status and even blank bank checks.
Sensitive health information such as an individual’s prescriptions, dosages and costs were also exposed in the leak.
Scans of customers’ identification documents such as Social Security cards and numbers, Medicare cards, and other documents like driver’s licenses, armed forces and voter identification cards were also exposed.
The misconfigured bucket was reportedly secured within an hour. It is still unclear how long the data was exposed in the unsecured S3 bucket and how many customers were affected.
The incident also brings AgentRun’s cybersecurity practices and protocol into question. According to its website, the company claims its service is secure and ensures that customers personal information is “highly safeguarded” using “the latest encryption standards to encrypt sensitive data in our system.” has brought the cybersecurity practises following by the organization to question, as AgentRun claims its services to use “Latest encryption standards”.