Detailed personal information from thousands of insurance customers in Maryland–as well as login credentials for a massive national insurance claims database–was exposed due to an an open port on a NAS server.
The misconfiguration exposed a wealth of information on Maryland Joint Insurance Association policy holders, including names, addresses, phone numbers, dates of birth and Social Security numbers, according to researcher Chris Vickery of Upguard who discovered it. The data also includes bank account numbers, check images, internal access credentials.
Vickery found the exposed data after scanning IP addresses for ones that had port 873 open and exposed to the public Internet, he said in an interview. Port 873 is the default port used for running the rsync protocol for replication and backup.
It wasn’t open on the MJIA’s systems, but he noticed that at the same IP address port 9000 was open. Port 9000 is often used as a web front end for NAS servers. Vickery found this was the case with the MJIA’s NAS server and was able to access the entire trove of data, he said. The port has since been closed.
One section on the NAS server, titled “BBackup,” contains files related to customer information. A 60GB folder called “appgen” included more than 175,000 files dating back as far as 2010.
Perhaps even more troubling, the server also contained login details for ISO ClaimSearch, a massive database of claim information maintained by insurers nationwide. Tens of millions of records are added to ClaimSearch each year. It’s not clear what level of access could be gained
The MJIA is a state-mandated insurance program that helps homeowners with high risk factors find coverage.
“We take cybersecurity very seriously,” MJIA general manager Christopher Dooley said in a brief phone interview on Thursday. The NAS server in question was a backup device the MJIA had installed in October, he said. Dooley could not say why the port was left open. The MJIA uses an outsourcing firm for its IT needs, Dooley said.
It is not clear whether any of the data was compromised by an attacker, but the MJIA said it doesn’t believe any customers are at risk.
Vulnerable ports remain a vexing fact of life, despite the presence of threats like the WannaCry ransomware, which attacked devices through SMB Port 445, which is used for file-sharing.
In a report released last June, Rapid7 found there were 160 million devices with ports inappropriately exposed to the public Internet. Among them were 5.5 million open 445 ports, which was actually up from the previous year’s total of 4.6 million, according to the report.