DataBreaches.net was recently contacted by an Indian cybersecurity firm, Banbreach, about a vulnerability involving the California Department of Insurance site. According to Banbreach, they notified the California Department of Insurance (CDI) that interactive.web.insurance.ca.gov was hosting an oracle reporting server that had generated more than 24,450 reports in the prior 24 hours. Most of the reports were appeared to be renewal reports for insurance agents that included the agents’ name, renewal ID, and Tax Identification Number (TIN). Because many individuals use their Social Security Number as their TIN, there was the possibility that many people could have their name and SSN compromised. Other reports that were exposed by the site’s vulnerability were described as:
- insurance claims investigation reports with details such as names, vehicle registration numbers, and addresses;
- Statistical reports on monthly frauds; and
- Details of individuals and charges they were indicted for, fines paid, impacted parties etc.
Banbreach reported their observations to the agency on November 9 and followed up by contacting the state attorney general’s office. By the following week, Banbreach had received acknowledgement and requests for assurances about not misusing the data and destroying the data.
But was anyone notified about this potential exposure and leak? Neither Banbreach nor DataBreaches. net could find any disclosure or notification on any state web site.
DataBreaches.net reached out via email to CDI to inquire whether there was any notification. In response, this site was sent a copy of the notification that was sent out on December 14. That notification is embedded at the bottom of this post.
In a cover email, a spokesperson explained that the notification would not appear on the state’s web site because “the incident did not affect the number of persons that would otherwise generate such a requirement. (See Cal. Civ. Code section 1798.29.)”
It appears that the state’s investigation had determined that the only entity to access any of the potentially exposed data was Banbreach’s firm. This is not quite consistent with what Banbreach tells DataBreaches.net, as they say there was a second IP address that was used to confirm the exposure.
In any event, Banbreach has done thousands – or even, perhaps, millions – of people a favor by notifying the state so that they could correct their security. On November 13, as part of its response to their report, CDI also severed any connection between their confidential reports and the external web site.
So, well done, Banbreach!
And as an unexpected but very welcome bonus: DataBreaches.net now has a contact in India (Banbreach) who I’ve already enlisted to help me make notifications of other leaks involving Indian entities who are not responding to email notifications of leaks (cf, this situation).PRA-2019-00004-Notice-of-Data-Breach