There are many sound business reasons for entrusting sensitive data to a third party. Third-party services provide efficiency, expertise, and cost savings that no business can do without. However, evaluating the security of third-party providers is paramount when selecting trustworthy vendors.
But how do you actually decide that a vendor is trustworthy? We have always advocated that organizations find out which of their vendors create the most risk, but sometimes that isn’t so simple. While that evaluation involves a review of prior data breach incidents, what happens if the vendor has had multiple incidents? How can you put those events into context if the information is opaque or disjointed? Recent events at insurance services provider Vertafore highlight those challenges of putting data loss experience into proper context.
Who is Vertafore?
While Vertafore isn’t exactly a household name, it is a major technology service provider to the insurance industry, offering solutions ranging from agency management software to data exchange services for insurance carriers. It is reportedly the fourth largest tech employer in the Denver area and commanded a $5.35 billion asking price when acquired by Roper Technologies in 2020.
The Vertafore name may ring a bell for followers of data breach reporting. In November 2020, the organization suffered a sizable breach when an employee inadvertently moved several folders into an unsecured external storage service. The data was discovered and was allegedly “accessed without authorization” between March 11, 2020 and August 1, 2020. In total, over 27 million Texas DMV records were exposed (which is practically everyone issued a Texas driver’s license prior to February 2019). The incident compromised:
- Dates of birth
- Driver’s license numbers
- Vehicle registration histories
Vertafore was quick to state that no Social Security numbers of financial account information was exposed.
In many respects this 2020 incident is very similar to the approximately 250 other data-exposing misconfigurations reported during that year. However it is what comes next, in July 2021, that makes Vertafore’s breach experience so confounding.
The QQCatalyst agency management system
QQCatalyst is a cloud based insurance agency management platform first created by QQSolutions in early 2013 and acquired by Vertafore in mid-2015. QQCatalyst, now maintained by Vertafore, is used by agencies to host insurance documents, quickly communicate with customers via a text message based system, and automate customer onboarding and marketing processes.
The QQCatalyst breach
On November 30, 2020, twenty days after disclosing the Texas DMV data compromise, Vertafore discovered a misconfiguration in QQCatalyst that allowed unauthorized access to reports and forms generated by the software while leaving other files uploaded to QQCatalyst accessible to the public. Vertafore could not determine if these publicly available files were accessed, files which potentially included insurance applications, quotes, policies, or any other forms uploaded under the Contact and Policies Files tab.
Vertafore has disclosed that the following data was exposed to misuse or unauthorized access due to the configuration error:
- Dates of birth
- Driver’s license numbers
- Social Security numbers
- Credit or debit card numbers
- Financial account information
The most notable element of this breach is the date it first occurred: January 1, 2012. As mentioned previously, QQCatalyst was released in early 2013. This means that the software was created and released with this misconfiguration present, leaving the data exposed to misuse for more than 8 years. In addition, it shows Vertafore did not discover the misconfiguration during their due diligence process prior to the 2015 acquisition.Another interesting conclusion that could be drawn by focusing on the incident dates is how Vertafore discovered this breach. Vertafore discovered the QQCatalyst incident just 4 months after discovering the unsecured external storage service that left 27.7 million Texas drivers’ information exposed. In their notice, they assure that they are taking steps to improve their security and fortify their systems; is it because of this review that the QQCatalyst misconfiguration was discovered?
Affected insurance agencies
While the second misconfiguration did not impact as many records as the first, the effects have been felt by insurance agencies across the country. The following table depicts the insurance agencies confirmed to be impacted by the breach. To date, reports indicate that at least 42,714 people are known to have had their information exposed, with a smaller, unknown portion of people confirmed to have suffered unauthorized access to their information.
|D.E. Reed Insurance Agency, Inc.||12,038|
|Educators Insurance Agency||8,944|
|Freedom Insurance Agency||6,465|
|Golden Rule Insurance Agency||5,659|
|Heinz Insurance Agency||3,911|
|Lakeside Insurance Brokers||3,014|
|Kevin Bull, Inc.||1,968|
|Kelly Klee, Inc.|
La Jolla Professional Insurance Associates
|New England Risk Management||Unknown|
|Patterson Insurance Agency||Unknown|
|Shared Alliance Insurance, Inc.||Unknown|
|Ironside Insurance Group, LLC||Unknown|
|WebFirst Insurance, LLC||Unknown|
|Ronald F. D’Agostino Insurance Agency, Inc.||Unknown|
|Rawson and Sons Insurance Group, LLC||Unknown|
The following agencies are not confirmed to have been affected by the QQCatalyst breach. However, due to the fact these agencies have reported a data breach with the same unique breach date of January 1, 2012, there is a strong possibility that they actually were affected by this breach.
|Priority First Insurance and Investments||1,620|
|Thomas Insurance Advisors||1,070|
|Palestine Insurance Agency||635|
|Reliable Insurance Solutions LLC||1|
The total number of affected agencies remains unknown, as these are the only organizations that have disclosed the event or provided a consumer notification letter.
The importance of database diligence
It’s essential for companies to ensure their products have the proper configurations to prevent easy exploitation from malicious actors. Human error is usually the culprit in these cases, which highlights the significance of not just playing defense against malicious actors, but making sure the playing field is well maintained to begin with.
Misconfigured databases pose persistent risk to organizations, with inadvertent exposure playing a significant role in contributing to the number of records compromised each year. In the first 6 months of 2021 alone, “Web” type breaches accounted for over 52 billion records exposed. While these are not all solely because of misconfigured databases, access control is a facet of security that is important to keep in check, and can be highly damaging if it is neglected.
The importance of due diligence
Organizations have a responsibility to ensure that sensitive data is protected. Malicious threat actors never stop, so all of us must ensure the confidentiality, integrity, and availability of what we, and our third-party vendors, store.
It can be difficult to place your trust in a vendor, especially if you don’t have comprehensive and actionable breach intelligence. Unfortunately, breaches frequently dominate press headlines and if any of them affect your current or potential vendors, you need to be aware.