BackNine Security Incident

Reid Tattersall

8/12/2021 · 1.25 min read

Summary

On 7/12/2021, BackNine was notified of a public Amazon S3 bucket containing private files. The public S3 bucket allowed anyone with knowledge of the file’s URL to access it. BackNine has no evidence to indicate that the information contained within the inadvertently published files has been or will be misused.

How did this happen?

A bug with BackNine’s code caused some insurance applications to be uploaded to the incorrect S3 bucket. Insurance applications within the S3 bucket contained sensitive information such as full names, addresses, phone numbers, Social Security numbers, medical diagnoses, medications taken, and detailed completed questionnaires from April 23, 2015, to July 12th, 2021.

Remediation

The S3 bucket was made private 20 minutes after BackNine was notified which prevented future unauthorized access. An internal audit of document uploads has been completed which concluded with several security enhancements. We're presently conducting an external penetration test to proactively address security weaknesses.

Was my client's information accessed?

Logging was not enabled on the S3 bucket so it’s unknown who viewed or copied files. As a result, BackNine is notifying all potentially affected individuals.

Disclosures

We notified 16 state insurance departments along with the FBI. Notices are being mailed out to potentially affected individuals starting August 13th, 2021. A copy of the letter along with an FAQ is posted below.

Example Letter

Call Center FAQ

Conclusion

If you are aware of any security or privacy issues or have questions, please email [email protected].

Sincerely,

Reid Tattersall, CFP, CLU, ChFC, CAP

Vice President