An insurtech startup exposed thousands of sensitive insurance applications

Zack Whittaker reports:

A security lapse at insurance technology startup BackNine exposed hundreds of thousands of insurance applications after one of its cloud servers was left unprotected on the internet.

BackNine might be a company you’re not familiar with, but it might have processed your personal information if you applied for insurance in the past few years. The California-based company builds back-office software to help bigger insurance carriers sell and maintain life and disability insurance policies.

Read more on TechCrunch.

Update:  Bob Diachenko wasn’t the only researcher notifying BackNine back in June. has learned that an independent researcher had also found BackNine exposing insurance applications back in June — but not in an Amazon storage bucket.

The following is a screencap of an email the researcher sent BackNine on June 19.  The reseacher’s email address and the IP address of the leak are redacted by

Notification to


Recently I came across pdf’s located at the directory http://[redacted]/pdfs which belong to your company 

While some are blank and have test data inside them, there are others that have confirmed real information on them. 

Hopefully you can block access to that directory as it is exposing SSN/Drivers license details and other data for an unknown amount of users.


[username redacted]

The researcher informs that “not long” after the email was sent to them, the data were locked down, but the firm never acknowledged the email or replied to them.

So that’s two data leaks discovered in June where they don’t even acknowledge responsible disclosure….

About the author: Dissent

Comments are closed.