ClaimPix Auto Insurance Data Breach Exposes Millions of Customer Records

A significant data exposure incident has affected ClaimPix, an Illinois-based platform that manages auto insurance claims across the United States. Cybersecurity researcher Jeremiah Fowler discovered a publicly accessible database containing over 5.1 million files with 10.7 terabytes of unencrypted data, including personal identifiable information (PII). This exposed data spans insurance documents with customer names, addresses, phone numbers, and emails, as well as sensitive vehicle-related files such as official registrations, repair invoices, and images showing license plates and Vehicle Identification Numbers (VINs).

Further investigation revealed the inclusion of internal company documents, including confidential software license agreements, and detailed vehicle specifications like the year, make, and model. Notably, approximately 16,000 Power of Attorney (POA) documents were exposed, which authorize third parties to handle vehicle title transactions. These electronically signed documents also contained IP addresses, amplifying the risk profile of the breach.

The exposure presents significant risks including identity theft, financial fraud, and vehicle cloning—a form of motor vehicle identity theft involving the illegal use of VINs and license plates. Such breaches pose compliance challenges under data protection regulations and elevate concerns around data governance and cybersecurity practices within insurance technology platforms.

ClaimPix responded promptly upon responsible disclosure by limiting database access and confirming the breach. The company has announced policy and code updates to address these vulnerabilities. However, it is still undetermined whether ClaimPix directly managed the database or if a third-party vendor was responsible, and the duration of exposure remains unclear.

This incident underscores the criticality of stringent data security measures and continuous monitoring in insurance claim processing platforms, especially those handling extensive PII and sensitive legal documents. It also highlights the broader industry need for enhanced cybersecurity protocols and vendor risk management to safeguard customer data and maintain regulatory compliance.