- Claim presented 5.1 million confidential insurance files in an unknown public database
- The documents included personal data, vehicle details and internal records of the company
- Restricted access to claim and promised code updates after the researcher alert them
Claim, a company that rationalizes automobile insurance, claims car insurance, was filtering customer confidential data on Clearweb, including people’s phone numbers and email addresses, an expert warned.
Security researcher Jeremiah Fowler, known for looking Websiteplanet.
The file had a 10 TB size and included documents such as notarial power, vehicle registration, estimates, repair invoices and images of damaged vehicles with visible plates and vin numbers.
Claim leaks
The data also included insurance documents with names, postal addresses, telephone numbers and emails and registration documents with additional details about vehicles, but also internal documents with terms, rates and other information that should not be available to the general public.
Fowler’s investigation led him to claim, a Hillside technology company, Illinois, which provides a self -service photo documentation platform to optimize insurance claims, damage evaluations and remote inspections. It covers multiple industries that include insurance, car sending and hiring.
Claim is a relatively small and private organization, which operates with less than 25 employees and generates approximately $ 5 million in annual income. According to some sources, he prosecuted more than 25,000 claims throughout the United States and created associations with companies such as Bluestar Corporate relocation.
Shortly after Fowler approached, the company restricted the public access database and apologized for the setback.
“We have updated the policies and our code to address this problem and we will make those changes live later tonight,” said claim to the researcher.
Some details are still unknown: we do not know if I claim this file operates, or if the work is subcontracts to a third party. Nor do we know for how long it remained open, and if any threat actor agreed before it was blocked. At the time of publication, there was no evidence that the archives were stolen or abused in phishing attacks.
