Insurance SaaS giant Vertafore exposed 27.7M names, driver license numbers, dates of birth, addresses, and vehicle registration histories.

Vertafore Says Human Error to Blame

Three massive data sets were inadvertently stored on an unsecured server.

This incident happened due to human error, as an individual accidentally loaded three large Vertaforce data files onto an unsecured external storage service. Sometime between March 11 and August 1, an unauthorized 3rd party accessed the files on the unsecured server.

According to an internal source at Vertaforce, the three files contained information on driver’s licenses issued before February 2019, which the company was using for its insurance rating software solution.

In a bit of positive news, no social security numbers or banking information were accessed, and there is no evidence so far that the leaked information has been leveraged on the dark web to launch further hack attacks.

Related: 5 Common Accidental Sources of Data Leaks

How is Vertafore responding to the breach?

Vertafore said it has already notified relevant authorities about the nature of the breach, including the Texas Attorney General, the Texas Department of Public Safety, the Texas Department of Motor Vehicles, and federal law enforcement. The company is now also notifying Texas drivers whose data was exposed in the breach.

“To be considerate of all Texas driver license recipients and out of an abundance of caution, Vertafore is offering them one year of free credit monitoring and identity restoration services in recognition that these services offer valuable protection in other contexts beyond this event,” the company said.

This is not the only recent driver’s license-based hack. In September, personal information of thousands of New South Wales driver’s license holders was exposed after more than 100,000 images were left in an unsecured Amazon Web Services cloud storage folder.

Would this attack be covered by cyber insurance?

Yes. Here’s how.

Evolve’s cyber insurance policy covers  “Unauthorized Access” or an “Accidental Disclosure” of information resulting in a privacy breach due to a cyber event (aka hack attack). The main costs associated with unsecured server breaches are listed below.

First Party Coverage: 

  • IT Security and Forensic Costs ($500/hr)
  • Crisis Communication Costs ($500/hr)
  • 1st & 3rd Party Privacy Breach Management Costs ($1 – $3 per individual);
    • Credit Monitoring
    • ID Restoration & Theft Services
    • Call Center Damage Control

3rd Party Coverage:

  • Network Security Liability (Lawsuit Allegation)
  • Privacy Liability (Lawsuit Allegation)
  • Regulatory Fines & Penalties (Lawsuit Allegation)