- ClaimPix exposed 5.1 million sensitive insurance files on an unsecured public database
- Documents included personal data, vehicle details, and internal company records
- ClaimPix restricted access and pledged code updates after researcher alerted them
ClaimPix, a company which streamlines car insurance claims, was leaking sensitive customer data on the clearweb, including people’s phone numbers, and email addresses, an expert has warned.
Security researcher Jeremiah Fowler, known for hunting down misconfigured and unprotected databases, recently found one such instance containing 5.1 million files, sharing his findings with WebsitePlanet.
The archive was 10TB in size, and included documents such as power of attorney, vehicle registration, estimates, repair invoices, and images of damaged vehicles with visible license plates and VIN numbers.
ClaimPix leaks
The data also included insurance documents with names, postal addresses, phone numbers, and emails, and registration documents with additional details about vehicles, but also internal documents with terms, fees, and other information that should not be available to the general public.
Fowler’s investigation led him to ClaimPix, a Hillside, Illinois technology company providing a self-service photo documentation platform to streamline insurance claims, damage assessments, and remote inspections. It covers multiple industries including insurance, car shipping, and contracting.
ClaimPix is a relatively small, privately-held organization, that operates with fewer than 25 employees, and generates roughly $5 million in annual revenue. According to some sources, it processed more than 25,000 claims across the United States, and built partnerships with firms like Bluestar Corporate Relocation.
Soon after Fowler reached out, the company restricted the database from public access, and apologized for the mishap.
“We have updated policies and our code to address this issue and will be making those changes live later this evening,” ClaimPix told the researcher.
A few details remain unknown: we don’t know if ClaimPix operates this archive, or if the work is outsourced to a third party. We also don’t know for how long it remained open, and if any threat actors accessed it before it was locked down. At press time, there was no evidence that the files were stolen or abused in phishing attacks.
You might also like
- Data center firm leaks massive 38GB database containing thousands of personal records online
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
