This time the target was BackNine, and software startup that supports a number of major insurance companies. BackNine apparently uses Amazon Web Services for “cloud” data storage.
An Amazon server storing insurance applications was converted from private to public access. Whether this was done accidentally or intentionally is not known, however, this change requires access to security credentials.
There are more than 700,000 insurance applications on that server. Each of the application files contains
- Personally identifiable information (names, addresses, SSNs, and in some cases, drivers license numbers)
- Financial information
- Medical histories and the results of insurance medical exams and test results
The applications cover a span of time from 2015 to 2021.
The insurance companies known to be affected include
- John Hancock
- Lincoln Financial
There are several object lessons from this announcement relevant to businesses and individual consumers:
- All the “cloud” means is that you or a company is using devices that you do not own and which may or may not be secure. Promises of security may not be worth the electrons used to transmit them.
- Keep copies of anything important in your personal possession. If anything is electronic, place it on a backup drive that you can disconnect from the Internet.
- Assume your private information is public and monitor credit reports on a regular basis.