ClaimPix Data Exposure: 10TB of Insurance Records, Vehicle Data, and Legal Documents Left Unprotected
Ddos 
Image: Jeremiah Fowler
Cybersecurity researcher Jeremiah Fowler has discovered a massive unprotected database containing highly sensitive insurance and vehicle-related records. The exposed database held over 5.1 million files totaling 10TB and included powers of attorney, vehicle registrations, repair invoices, and images of damaged vehicles with visible license plates and VIN numbers.
According to Fowler, “The publicly exposed database was not password-protected or encrypted. It contained 5,170,256 files and images.”
A sampling of these files revealed a wide range of personally identifiable information (PII):
- Names, physical addresses, phone numbers, and emails.
- Registration documents with VINs, vehicle year, make, and model.
- Nearly 16,000 powers of attorney documents granting legal authority to transfer or assign titles, some even including the IP addresses of individuals who signed them electronically.
Fowler also found internal documents such as software license agreements and other business records that should not have been exposed.
The exposed data appeared to belong to Illinois-based ClaimPix, a platform used across the U.S. for managing and filing auto insurance claims. Fowler explained, “Information inside the database (and the name of the database itself) indicated the records belonged to Illinois-based ClaimPix… I immediately sent a responsible disclosure notice to ClaimPix, and the database was restricted from public access shortly after.”
It remains unclear how long the data was exposed or whether unauthorized parties accessed it before the issue was remediated.
The type of data exposed poses severe risks of fraud and identity theft. Fowler warned, “The exposure of personal data, insurance information, and even identification documents pose numerous potential risks both online and offline.”
For example:
- VIN cloning: using stolen VINs to illegally register stolen or salvaged cars.
- Insurance fraud: impersonating policyholders to file fraudulent claims or intercept payouts.
- Impersonation attacks: exploiting powers of attorney to transfer vehicle ownership without the owner’s knowledge.
Fowler pointed out that criminals could even combine data from multiple individuals to create synthetic identities for fraudulent activities.
Following Fowler’s disclosure, ClaimPix responded: “Thank you for alerting us to the security issues that you mentioned. We have investigated and confirmed your findings… We have updated policies and our code to address this issue and will be making those changes live later this evening.”
Fowler advises that, “companies in the insurance industry… encrypt all sensitive data… enforce access controls with multi-factor authentication… and perform regular audits of cloud storage systems to ensure they restrict public access.”
For individuals, he recommends monitoring for signs of identity theft, placing fraud alerts or credit freezes when necessary, and checking insurance statements regularly.
Related Posts:
- LinkedIn to Use Your Data for AI Training. Here’s How to Opt Out
- Warning: Popular Apps Leaking Your Private Data
- Anonymous Releases 10TB of Leaked Data Targeting Russia
- Rockerbox Data Leak Exposes 245,949 Records: SSNs, Driver’s Licenses, Military IDs Leaked from Unsecured Cloud
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
