RateForce is a platform that facilitates online comparison of car insurance quotes and has boasted nearly 11 million quotes since 2014.
A massive data breach has come to light, exposing over 250,000 documents containing the personal and sensitive information of thousands of individuals from the United States.
The breach, which lasted for at least two weeks, involved an unsecured database containing scans and images of various documents, including vehicle registrations, driver’s licenses, insurance cards, vehicle titles, and state Medicaid health coverage cards.
The breach was initially discovered by security researcher Jeremiah Fowler, who stumbled upon the exposed database. Upon further investigation, it was revealed that the primary insurer associated with all the policies listed in the database was USA Underwriters.
Concerned about the severity of the data exposure, the researcher promptly reached out to USA Underwriters via email with a responsible disclosure notice. However, despite multiple attempts, the researcher received no response.
Taking matters into his own hands, Fowler managed to contact someone at USA Underwriters by phone and emphasized the urgency of the situation. Following the call, the database was finally secured and restricted from public access within two hours.
The story took an unexpected twist when Fowler received a voicemail from an individual claiming to be a detective from the Detroit Police, seeking to ask a few questions.
“I searched the name and phone number of the alleged detective and a LinkedIn account matched the same unique and uncommon name of a USA Underwriters employee. I returned the call and asked if the individual was an employee or affiliated with USA Underwriters and each time the answer was, “No”,” Fowler detailed in the report to vpnMentor.
Furthermore, the detective in question mentioned that a third-party vendor named RateForce was the owner of the compromised database. This incident is somewhat similar to the one in November 2020, in which Vertafore, an Insurance Software Solution exposed license details of 27.7M Texas drivers.
RateForce is a platform that facilitates online comparison of car insurance quotes and has boasted nearly 11 million quotes since 2014. In 2021, the company ranked second on the prestigious Inc. 5000 list of the fastest-growing private companies in the insurance industry. This revelation suggests that the breach may have affected a significant number of individuals who have utilized RateForce’s services.
The compromised records revealed a substantial presence of independent insurance agents who sold policies. It appears that most of the documents originated from agencies and car dealerships procuring insurance on behalf of their customers. While the majority of identification documents belonged to individuals from Michigan, licenses from Georgia, Arizona, and Virginia were also observed.
The database contained a staggering 96,175 folders that housed 255,756 records, totaling a size of 93.93 GB. These folders contained insurance policy cards, driver’s licenses (front and back), and, in some cases, additional documents such as auto loan information, state registrations, Medicaid or health insurance cards, utility bills, and letters from banks showing active accounts.
Moreover, the breach exposed customer and applicant names, home addresses, phone numbers, driver’s license numbers, vehicle identification numbers (VINs), and insurance policy details. Shockingly, sales records with auto dealer information, including EIN tax identification numbers, were also compromised, with some records even containing buyers’ social security numbers in plain text.
While USA Underwriters was initially thought to be the owner of the exposed database, it was later confirmed that the database belonged to RateForce, indicating the involvement of a third-party vendor.
USA Underwriters clarified that they employ a separate IT company to manage their infrastructure and disclaimed any responsibility for the management of the breached database. This incident serves as a reminder of the risks associated with third-party vendors and highlights the need for stringent security measures and oversight when handling sensitive customer information.