A massive collection of data belonging to customers of ClaimPix, an Illinois-based platform for managing auto insurance claims across the United States, was recently discovered to be publicly accessible online.
Cybersecurity researcher Jeremiah Fowler reportedly found a database containing over 5.1 million files (a huge 10.7 terabytes of data) that was not protected by a password and was completely unencrypted. This research was published by Website Planet and shared with Hackread.com.
Millions of Records Left Unprotected
The exposed database included personal identifiable information (PII). In a limited sampling of the files analysed, Fowler found insurance documents with customers’ names, home addresses, phone numbers, and emails.
The exposure included more sensitive documents like official vehicle registrations, repair invoices, and images of damaged cars that clearly showed license plates and Vehicle Identification Numbers (VINs).
The database also contained internal company documents, such as confidential software license agreements. Further probing revealed the vast extent of this information, including records showing vehicle specifics like the year, make, and model.
The Threat of Impersonation and Fraud
One of the most alarming aspects of this leak is the discovery of around 16,000 Power of Attorney (POA) documents. A POA is a document that gives someone else the legal authority to buy, sell, or transfer the title of a motor vehicle on behalf of the owner. Since these documents were electronically signed and even included the signer’s IP addresses, they pose a serious threat.
Criminals could use this combination of personal details and legal authorisation for identity theft, financial crimes, or even to create a new, fake identity. The exposure of VINs and license plates also creates a risk of “vehicle cloning,” which is like identity theft for cars, Fowler explained in the blog post.
ClaimPix has acknowledged the severity of the incident. The company quickly restricted access to the database after receiving a responsible disclosure notice from Fowler. In a reply to the disclosure, they stated, “We have investigated and confirmed your findings,” and that they have since “updated policies and our code to address this issue and will be making those changes live later this evening.” This is a welcome step to protect customer data going forward.
However, it is important to mention that it remains unclear whether the database was managed by ClaimPix directly or by a third-party vendor, and the total duration that the data was exposed is still unknown.
