Md. insurer left some customer data exposed
Online breach apparently was fixed with no harm done, company official says
A local property insurer called the Maryland Joint Insurance Association left data about some of its customers exposed online, but there’s no evidence it was accessed improperly.
The exposed data was found by a California-based cybersecurity firm known as UpGuard that notified the insurer, which took steps to protect it.
“They made us aware of the potential threat and we reached out to our own IT specialists who have taken care of the threat,” said Christopher Dooley, the insurer’s general manager. “We take securing data very seriously.”
The Maryland Joint Insurance Association was formed 50 years ago by the insurance industry to provide property coverage to the hard-to-insure.
The insurer confirmed it had moved archived data months before to a backup system maintained internally and didn’t realize the information lacked proper safeguards. Much of the insurer’s current customer data is maintained by a secure outside firm, it said.
Dooley said most of the archived data was from former customers. The insurer works to return customers to the traditional insurance market and has 1,500 current policy holders, down from a high of 7,000. Officials haven’t decided if they will notify individuals, as they do not believe any data was taken. There are no Social Security numbers or bank information maintained.
UpGuard officials say companies often downplay such lapses, but companies that maintain copies of old checks have banking information, for example, making companies like insurers targets for hackers.
Across the country, cybersecurity has become a major issue for a range of firms and groups, including some large, highprofile insurers, affecting millions of people. The Maryland Insurance Administration said carriers in the state are required to report breaches and have done so from time to time.
Tracy Imm, a spokeswoman for the state insurance regulator, said officials there make sure the carriers report such breaches to customers in a timely manner.
For its part, UpGuard goes looking for such lapses but never breaches a system. Chris Vickery, the company’s director of cyber risk research, said he scans the Internet for data that is essentially “broadcast online” to anyone with simple computer skills.
The purpose helps his firm understand the common and evolving types of data security problems and validating UpGuard’s work.
But Vickery also helps other companies by tipping them off to holes in their systems so they can make fixes, which he said the Joint Insurance Association did in a day. He also blogs and talks about his specific findings, bringing attention to the issues and those companies — as well as UpGuard.
“I see what’s on the horizon,” Vickery said. “How does the industry deal with risk and specific situations?”