An online database of more than 5 million records apparently belonging to MedicareSupplement.com was left open and accessible to the public. On May 13, 2019, Comparitech worked alongside security researcher Bob Diachenko to uncover the publicly available MongoDB instance that appears to be part of the website’s marketing leads database.
MedicareSupplement.com is a US-based insurance marketing website that lets users find supplemental medical insurance available in their area. Users are required to enter personal information in order to get a quote. It is not an insurance company.
What information was exposed?
The records contained the following personal information:
- First and last name
- Full address
- IP address
- Email address
- Date of birth
- Marketing-related information (lead duration, clicks, landing pages, etc.)
Some records—about 239,000—also indicated insurance interest area, for example, cancer insurance. Data was spread around several categories, including life, auto, medical, and supplemental insurance.
The IP address of the publicly available database was first indexed on May 10, 2019 by public search engine BinaryEdge. We do not yet know whether anyone gained unauthorized access to the database.
We promptly disclosed the vulnerable database to MedicareSupplement.com. Since then, database access has been disabled and a property security configuration installed. We received no further correspondence from the company thereafter.
Dangers of exposed databases
Diachenko, who collaborates with Comparitech on security research, says the dangers of exposing databases such as MongoDB or NoSQL without a password or other authentication is huge:
“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”
The people whose information was exposed, particularly those whose records included insurance interest area, could be at risk of spam, targeted phishing, and fraud.
MedicareSupplement is a direct-to-consumer insurance marketing site that lets Medicare users get quotes on and compare various supplemental insurance plans. Although MedicareSupplement is not an insurance company, it does collect a fair amount of personal information in order to provide users with price quotes.
MedicareSupplement.com is owned by TZ Insurance Solutions, LLC, headquartered in Fort Lee, New Jersey. It’s a Better Business Bureau accredited company since 2011 and has an A+ rating. We found no record of prior breaches or data exposure.
TZ Insurance also owns TRANZACT, a business offering sales and marketing solutions to insurance companies. We have reached out to TZ Insurance Solutions for more information on this data exposure.