Compliance Management, Network Security

AgentRun’s misconfigured S3 bucket exposes PII insurance companies’ customers

Share

Just an hour after an open AWS S3 bucket at insurance firm AgentRun was discovered to be exposing information on thousands of customers of major insurance companies like Cigna and SafeCo, the company closed down the server.

Information on insurance policies as well as health, medical and financial data were publicly accessible because no password was required, according to a report from ZDNet.

"We were migrating to this bucket during an application upgrade and during the migration, the permissions on the bucket were erroneously flipped," the report cited AgentRun founder Andrew Lech as saying.

Noting that “interconnected digital ecosystems have left organizations on the hook not only for their own vulnerabilities, but for those of any vendors, customers, partners or affiliates with access to their data,” Fred Kneip, CEO at CyberGRX, said, Hackers have learned that the path of least resistance to an organization's data is often through third parties with weak security controls, and we're going to continue to see these types of attacks until the industry takes this issue more seriously and adopts a more collaborative approach to reducing third-party risk.”

Organizations must therefore “better understand the security practices of all parties in the data chain of custody. Who has your data and how well are they securing it, whether it is in the cloud or on-premise? Are they encrypting the data in an S3 bucket?” said Kneip. “These are critical factors that organizations need to understand about all third parties in their digital ecosystem in order to know which pose the most risk to their data.”

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.