An online database containing the records of more than 5 million customers apparently belonging to MedicareSupplement.com was left open and accessible to the public, according to a report from Comparitech.
In order to get a quote from the TZ Insurance Solutions–owned website, MedicareSupplement.com, users are required to enter personal information. Though not an insurance company, the site does allow users to find supplemental medical insurance through the US-based insurance marketing website.
According to its website, MedicareSupplement.com takes precautions to secure user data. “We have taken certain physical, administrative, and technical steps to safeguard the information we collect from and about our customers through the Services. While we make every effort to help ensure the integrity and security of our network and systems, we cannot guarantee our security measures."
Security researcher Bob Diachenko discovered what appeared to be part of the site’s marketing leads database on May 13, where millions of MongoDB instances were left publicly available, according to the report. Diachenko tweeted that the database was first found on BinaryEdge.
“Some records – about 239,000 – also indicated insurance interest areas, for example, cancer insurance. Data was spread around several categories, including life, auto, medical, and supplemental insurance,” the report said.
Having personal information exposed puts users at risk of fraud, spam and targeted phishing attacks, and Comparitech warned that users of MedicareSupplement.com vigilantly keep an eye out for these types of attacks.
“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cyber-criminals to manage the whole system with full administrative privileges,” said Diachenko who collaborated with Comparitech. “Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”