Misconfigured Database Might Have Led to Data Breach, Security Experts Say
An unauthorized person appears to have gained entry to insurance software firm Vertafore’s network earlier this year and compromised the driver’s license data of over 27 million Texas citizens, the company detailed this week.
Vertafore says in a statement issued Friday that the entry was made between March 11 and Aug. 1, when someone gained access to a specific product within the company’s insurance rating tool that contained information on Texas drivers.
The breach was discovered in mid-August, Vertafore says.
“The files, which included driver information for licenses issued before February 2019, contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories,” the company reports.
Social Security numbers and financial account information for the drivers is not stored in this database, nor is data pertaining to partners, vendors or other supplier data, according to the statement. The company adds that no system vulnerabilities have been identified to this point.
Information Security Media Group has reached out to the Texas Department of Transportation for additional comment on the incident, but has not heard back.
The possibility that a system vulnerability does not exist could mean the data was obtained through a database configuration error, says Tim Wade, technical director of the CTO Team at security firm Vectra.
“Early reports seem to indicate that a misconfiguration is at the root cause of this disclosure,” Wade tells ISMG. “Unfortunately, this is all too common, and if those reports are accurate, this is an example of how serious even something as seemly innocuous as a simple access misconfiguration can become.”
Misconfigured databases leading to data loss have plagued hundreds of companies over the past several years, leading Bill Santos, president of Cerberus Sentinel, to note that having a security-aware corporate culture is key to stopping these type of incidents which are almost always due to human error.
Javvad Malik, security awareness advocate with KnowBe4, agrees about the possibility of a misconfigured database, adding that one way to solve the problem is through training and education, as well as deploying technical controls.
In its statement, Vertafore notes that it’s still investigating the incident with third-party security firms. Law enforcement in Texas and the FBI are also investigating.
“Vertafore immediately engaged a leading intelligence firm to search for evidence indicating potential misuse of this information in connection with this event,” according to the company, adding no evidence so far has been uncovered to indicate the compromised information has been misused. Vertafore is offering those affected one year of free credit monitoring and identity restoration services.