[BreachExchange] Student health insurance carrier Guard.me suffers a data breach

[Destry Winant]

https://www.bleepingcomputer.com/news/security/student-health-insurance-carrier-guardme-suffers-a-data-breach/

Student health insurance carrier guard.me has taken their website offline
after a vulnerability allowed a threat actor to access policyholders'
personal information.

guard.me is one of the world's largest insurance carriers specializing in
providing health insurance to students while traveling or studying abroad
in another country.

On May 12th, Guard.me discovered suspicious activity on their website that
led them to take down their website. When visiting the website, visitors
are automatically redirected to a maintenance page warning that the site is
down while the insurance provider increases security on the site.

"Recent suspicious activity was directed at the guard.me website and in an
abundance of caution we immediately took down the site. Our IS and IT teams
are reviewing measures to ensure the site has enhanced security in order to
return the site to full service as quickly as possible." reads the guard.me
website.

Today, guard.me began emailing students a data breach notification seen by
BleepingComputer that states a website vulnerability allowed unauthorized
persons to access policyholders' personal information.

"In the late evening of May 12, 2021 our Information Systems team
discovered unusual activity on our website and as a precaution they
immediately took down the website and took immediate steps to secure our
systems. The vulnerability has been addressed.  Our experts are diligently
investigating the matter further," says Guard.me data breach notification.

This vulnerability allowed the threat actor to access students' dates of
birth, genders, and encrypted passwords. For some students, their email
addresses, mailing addresses, and phone numbers were also exposed.

guard.me states that they have fixed the vulnerability and that it has
withstood further attempts by their cybersecurity team to bypass the
additional safeguards.

The insurance carrier also states that they are instituting new policies
for increased security, including database segmentation and two-factor
authentication.

Being a Canadian company, it is not clear if guard.me disclosed the breach
to the Privacy Commissioner of Canada and has not responded to
BleepingComputer's requests for more information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210518/7e9ddd19/attachment.html>