What would have been on the front page of every Texas News Site and paper was momentarily quieted by the roar of collective COVID fear and election hype that gripped our nation in the last year. Now that 2021 has begun and some of the hum has gone down, it is time to revisit one of the many gifts that 2020 reserved just for Texans. The company Vertafore Inc, a major software solutions provider for insurance companies and brokers, was hacked in 2020 by nefarious actors who targeted the company to steal the Personal Identifiable Information (PII) of the citizens of the State of Texas. They were able to steal 27.7 million records. The records included information such as driver’s license numbers, names, birth dates, home addresses, and even vehicle registration histories. The Attorney General is currently working with the company and an outside security firm to track down the responsible parties; however, for now, a discussion needs to be had regarding what the future looks like for companies that for whatever reason make these kinds of mistakes. What steps could Vertafore have made that would have preempted the breach? Were there any steps that they and other companies that find themselves in similar scenarios should take to minimize the damage of these breaches? These questions and more are to be addressed and expounded on in the coming pages.
The Vertafore Variable: When PII equals 27.7 Million
2020 Vision in the Shadows of a Pandemic
In the Summer of 2020, while the world was fighting a global Pandemic and many were struggling to decide whether they could afford to go to work or work from home, an entity was already at work in the cyber-shadows. A hacker (or hackers) whose identities are still unknown was planning something big. It was timed perfectly to be the most unexpected and to be the most profitable. Yes, while the country rushed to buy N-95 masks at the stores and the grocery suppliers struggled to keep toilet paper on their shelves, a nefarious shadow attack stole information from a company named Vertafore.
This may be the only time that PII has ever equaled 27.7 million. How is that possible? When this group of bad actors did their dirty deed, they liberated over twenty-seven million Texans’ personal data. Newsflash, the population of Texas in 2021 is only 28,995,881, according to the 2019 Census (U.S. Census Bureau QuickFacts, 2020). This means that most of the population, or those with driver’s licenses, had their Personal Identifiable Information (PII) sold. Attacks like this are happening every hour, and it is a new age of cyber-crime. It should hardly be surprising that Vertafore was targeted as they handled sensitive information. The statistics speak for themselves. A shocking 4,000 ransomware attacks happen daily, and nearly 50,000 devices (computers) being infected by nefarious actors every month (Malomo et al., 2020). These are ample reasons to pitch to organizational leadership if they are not on board with implementing the best new tools to reinforce the organizational security measures.
Research on the Organization
Vertafore was acquired by Roper technologies in 2020. The interesting aspect of this acquisition is the timing. Including the debt, Vista and Bain spent $2.7 billion to buy Vertafore in 2016 compared to the $1.4 billion TPG Capital paid for the company in 2010 (Simpson, 2020). On August 16, 2020, Reuters reported that Roper would buy Vertafore for $5.35 billion (Staff, 2020). This was conveniently near the date when Vertafore announced they had been hacked. Maggie Miller, a columnist for The Hill, writes that the firm immediately began investigating the breach and hired an intelligence firm to assess the extent of the damage (Miller, 2020).
The Security Record of Vertafore
By all accounts, Vertafore has a very high reputation for data security. They have a trust center that customers and any website visitors are able to check to see how dependable they are. As the breach is discussed below, keep this in mind. All companies are fallible, and the field of cybersecurity is extremely difficult to predict and stay ahead in.
How and Why the Security Breach Happened
The breach happened between March 11 and August 1 and was discovered in the middle of August. This left somewhere around two hundred and twenty-two days for the hackers to extract data. Vertafore’s account of events, as stated in their public announcement, was that the hack happened as a result of human error. They state, “three data files were inadvertently stored in an unsecured external storage service that appears to have been accessed without authorization” (Vertafore — Kroll, 2020). These files had driver’s license numbers, names, dates of birth, addresses, and even vehicle registration information on them. All of this data for those with a driver’s license issued before February 2019 was leaked (Jennings, 2020). One interesting correlation that could be related to the incident was their partnering with a company called Pramata back in 2018. They made their choice to go with them over a different company due to the ease of integration factor with their existing Salesforce CRM. In a case study published by Vertafore in 2018, they expound on this.
Using a consolidated record system, Pramata rapidly allowed Vertafore to coordinate and centralize 30,000 business relationships for the whole Organization to access as necessary. It also allowed DocuSign and Salesforce to incorporate sales and renewal procedures and unique strategies for price adjustments, commitments, entitlements, and deferred revenue. This was an interesting move as the data began to become central and accessible to the business entities across Vertafore. One example of this is the promoter portal. This portal provided the whole Organization with access to all business relationship details and allowed them to see the different consumer segments with characteristics and other information. It was also equipped with search functionality that mimics an advanced Google Search Engine’s power. There is one final piece that lends credence to the potential role played by Pramata in this disclosure of data. Due to the Pramata system’s application to Vertafore’s data repositories, the Organization was able to clear space in their IMS vendor facilities while dumping hard copies of contracts into Pramata. Going even further, this achievement ignited a larger business effort across Vertafore to eliminate wasteful storage habits. This movement essentially halted all pointless storing of records, ultimately clearing six facilities and generating savings that reached six figures (Rothman, 2018, p. 2). This happened in the years 2017 to 2018, two years before the negligence that caused an errant storage device to be accessed with incredibly sensitive PII. These may be entirely unrelated incidents; however, they also merit examination as this is a severe data breach and could result in very negative consequences for many people across the state.
How the Organization Handled the Issue: Good or Bad?
Vertafore was faced with a difficult situation. Only three files were leaked, and as a result, the integrity of their entire company was suddenly in question. They are said to be working closely with law enforcement and the Attorney General of Texas on ferreting out the hackers and shutting down anything they can of the potential damage that the released PII could cause. They handled the situation well in the aftermath; however, the best offense is a good defense, and as the saying says, an ounce of prevention is worth a pound of cure.
The Organizations Response to the Hacking Incident
Vertafore took several actions to address the problem once it became apparent that they had been hacked. They ramped up security, securing the files they deemed likely to have been affected and began a system-wide sweep of the data security situation. They also hired an outside security firm to assist in this effort. Vertafore also reported the breach to the Attorney General of Texas, The Texas DPS, and the Department of Motor Vehicles, and federal law officials. In recognition of the damage caused, they also offered credit monitoring to affected people. “Vertafore is offering … one year of free credit monitoring and identity restoration services in recognition that these services offer valuable protection in other contexts beyond this event” (Vertafore — Kroll, 2020)
Steps Vertafore Took in response to the Hack
1. Secured the Hacked Files
2. Hired an Outside Consulting Security Firm
3. Conducted System Sweeps
4. Notified the required entities of the situation
5. They offered free credit monitoring to anyone that was affected.
Scholarly Contributions to the Discussion
The sources cited above are either news-related or public announcements made by Vertafore. This section will introduce several leading academic or professional opinions on this topic. The critical issue that caused Vertafore’s data leak was one unsecured storage solution. This could have been prevented with standard practice measures such as encryption or any number of other tools. Malomo et al. (2020) point out that increasing numbers of cybercriminals are shifting their focus and skills towards accessing organizational data storage (p.1). Unlike ransomware or denial of service, which have some direct utility that gives instant gratification to the intruder, the elegant and straightforward data access attacks are planned and often extremely quiet.
How could Vertafore have preempted this attack?
The question remains, how could Vertafore have prevented or preempted this attack? There is no simple answer; however, there are several best practices that they may have neglected to follow, which may have contributed to the issue. Research in the cybersecurity industry has become focused in recent years on blockchain as a solution for everything from election vote integrity to organizational data security. A study performed by Malomo et al. (2020) explores the use of blockchain and federated cloud computing technologies to more effectively secure organizational data. Their proposed method of securing offsite data is named the Block Vault and involves the following steps. Each of these steps, or levels, are taken from Malomo et al. (2020) and expounded on to apply them to the situation at Vertafore.
Encryption of all offsite data using a key that is created by the clients themselves
There is no direct corollary to the Vertafore system breach for a client-side security measure because the data was intended for authorized system users and not for the public. The issue with the system that Vertafore used to store their data offsite was that it either was not encrypted or it was but encrypted poorly. The period, two hundred and twenty-two days, is more than ample to crack a poorly encrypted file storage device depending on the hacker’s skill. The Georgetown Law Journal outlines six workarounds that allow access to systems that are encrypted.
Six Encryption Workarounds
1. Find the Key
2. Guess the Key
3. Compel the Key
4. Exploit a Flaw in the encryption scheme
5. Access plaintext when the device is in use
6. Locate a plaintext copy (Kerr & Schneier, 2018, p. 996).
These six are mainly focused on law enforcement’s gaining access to criminals’ encrypted devices; however, they could easily cut the other way. For example, the third option, compelling a key, would mean that agents coerce a criminal to get them to reveal the key to their encryption. The other application of this is if criminals gain leverage over a government official or executive in an organization and use it to compel them to give the encryption key. In the case of Vertafore, this was not publicly the case. There is little mentioned about the identity of the responsible party. As was stated in the incident report, the most likely scenario was either the fifth or sixth workaround. Someone could have accessed the plaintext while the device was being used, or they could have gained access to the storage device and found it unencrypted or another partition without encryption.
Each of these would potentially allow a hacker to access files, encrypted or otherwise, and use them. This shows that encryption alone is not enough to claim that an organization has excellent data security of their stored PII. This is why it may also be useful to consider the next point mentioned by Malomo et al. (2020): multi-factor authentication.
Multi-Factor Authentication and Biometrics
Having multiple ways of ensuring who is accessing the data on systems and when they are accessing it is paramount in the war against cybercriminals. Employing biometric systems in physical data storage facilities is a prudent precaution and is becoming more common (Kerr & Schneier, 2018, p. 1003). If biometrics is above the budget then multi-factor authentication is the next best thing. Even banks have begun using two-factor authentication for account access, which sends text messages to members’ phones to ensure they are trying to gain access. It is a very effective method of nullifying hackers’ attempts to breach the password-wall.
There are two sides to the security system
The Client Side of the System
Requires dual control and several other measures to allow access to the system. There appears to be no significant side for clients (“client side”) in the case of the system involved in the Vertafore breach. It was merely an unsecured storage solution. The exact storage service is undisclosed on all the leading news sites and is challenging to find. What is clear is that if the storage service provider were a company like Amazon Web Services, for instance, they would be interested in being involved in the investigation as they have a good reputation for security. This is what is most likely the case.
The Federated Side of the System
On the federated side, maintenance on systems must be performed periodically, which could be a potential weak-spot to bolster. Malomo et al. (2020) propose three validators for the data wall’s federated-side. They must be randomly selected and rotated to prevent any outside actors’ predictions. These validators require access credentials for any access to the data storage and may or may not go further on identification requirements (p.7). Crypto-Key Pairs update daily to keep the hackers out. This is floated by Malomo et al. (2020) with the comment that it is currently financially unfeasible and shows a limited ROI but could merit further research (p.7). These steps are just the beginning of a real understanding of what could be done to secure offsite data from nefarious actors (Malomo et al., 2020, p. 7).
What could Vertafore have done Better?
Vertafore did what they should have done once they discovered the hack. It is possible that they could have done more before the hack occurred. They should have had better physical security of their data storage systems. Also, assuming the drive was encrypted, the criminals had access for a sufficient amount of time to decrypt the data on that drive. Then they had time to copy and steal the data of 27.7 million people. That is far too much time to go undetected by the cybersecurity team. Their public statement states that “Vertafore takes data privacy and security very seriously. The company has safeguards to protect its information and systems, with dedicated internal teams and partnerships with leading external firms. Vertafore recently determined that as a result of human error, three data files were inadvertently stored in an unsecured external storage service that appears to have been accessed without authorization” (Vertafore — Kroll, 2020). The important words to notice in this are: recently, inadvertently, unsecured external storage service, and without authorization. They could have maintained their security mindset that they had when they were growing and seeking companies like Pramata to manage their data storage and governance. The authorization piece is also huge. If Vertafore had used a higher level of access verification or security, the leak might not have happened. However, these kinds of incidents can happen to anyone and a certain unpredictability exists in the cyber world. What is the bottom-line on data security breaches from unsecured data storage media? Where does the buck stop? How can data stewards be held accountable for what data they have been trusted with? To address this last question, it will be beneficial to turn to the sector most often targeted by cybercriminals: The Healthcare Industry. One of the primary challenges facing cybersecurity professionals specializing in healthcare is their data storage systems’ forensic readiness. When teams go in to assess the damage of an attack, there must be a way to identify the chain of custody of data and find any clues that may lead to the intruder’s identity. This challenge has become relevant in recent years due to a rise in privilege abuse in health data systems (Chernyshev et al., 2019, p. 11).
In conclusion, the massive 2020 hack that impacted 27.7 million Texans has taught many people how easily three files can damage an entire state. Vertafore has been acquired by Roper Technologies and will likely be subject to a higher degree of oversight until their business security practices are improved. What can be done about the lost data? Practically nothing is possible; however, there are several steps affected Texans can take to secure themselves. First, they can visit the website provided by Vertafore, and claiming free credit alert monitoring services is a start. Second, they can keep an eye on that credit report and be ready to freeze credit, report fraud, and anything else that seems out of place. If companies like Roper Technologies and their subsidiary Vertafore are to be trusted with PII of any number of Texans, they will need to show higher dedication to best practices. In this case Pi may equal three files (3) pointing (.) to one mistake (1) for (4) no good reason, but the volume of PII equals 27.7 million. With better cybersecurity in place companies can foster the kind of security-aware culture that avoids irrational thinking, is constant, positive, ever-changing, and trusted. It may not really be Pi but it can be a piece of cake.
Chernyshev, M., Link to external site, this link will open in a new window, Zeadally, S., & Baig, Z. (2019). Healthcare Data Breaches: Implications for Digital Forensic Readiness. Journal of Medical Systems, 43(1), 1. http://dx.doi.org/10.1007/s10916-018-1123-2
Jennings, R. (2020, November 16). Vertafore Leak: Private Data of 28M Texans. Security Boulevard. https://securityboulevard.com/2020/11/vertafore-leak-private-data-of-28m-texans/
Kerr, O., & Schneier, B. (2018). Encryption Workarounds. The Georgetown Law Journal, 106:989.
Malomo, O., Danda, R., & Moses, G. (2020). Security through block vault in a blockchain enabled federated cloud framework. Applied Network Science, 5(1). http://dx.doi.org/10.1007/s41109-020-00256-4
Miller, M. (2020, November 13). Software vendor says data breach exposed nearly 28 million Texas driver’s license records [Text]. TheHill. https://thehill.com/policy/cybersecurity/525923-data-breach-of-software-vendor-exposes-almost-28-million-texas-drivers
Rothman, J. (2018). VERTAFORE INC. With a new approach to increase customer lifetime value, Vertafore bolsters future revenue growth. 2.
Simpson, A. (2020, August 13). Roper to Acquire Insurance Software Firm Vertafore for $5.35 Billion. Insurance Journal. https://www.insurancejournal.com/news/national/2020/08/13/578970.htm
Staff, R. (2020, August 13). Roper Technologies to buy Vertafore for $5.35 billion. Reuters. https://www.reuters.com/article/us-vertafore-m-a-roper-tech-idUSKCN2591OM
Trust Center. (n.d.). Vertafore. Retrieved February 19, 2021, from https://www.vertafore.com/trust-center
U.S. Census Bureau QuickFacts: Texas. (2020). https://www.census.gov/quickfacts/fact/table/TX/PST045219
Vertafore — Kroll. (2020). https://vertafore.kroll.com/
 This alludes to the mathematical constant “pi” which equals 3.14159.
 Those who are affected by this should check on what compensation they are entitled to on the Vertafore website as soon as possible.
 Many companies have tripped up on these kinds of security issues. Vertafore has an extremely high rating of data security satisfaction and this should be taken into account when considering this lapse in their performance (Trust Center, n.d.).
 These six workarounds are provided in a law enforcement context (Kerr & Schneier, 2018).
 The most likely scenario is that an insider is involved intentionally or through coercion.
 The other side of this coin looks a lot like Ransomware Attacks. Coercion in order to be given the key.
 The timing of the Vertafore acquisition by Roper Technologies is slightly suspect as they announced the hack around the same time. It may be possible that the hack was discovered earlier than the date it was reported and this prompted the acquisition.
 Chernyshev et. al (2019) suggest implementing an intelligent, real-time artifact identification module that would work with EMS, and cloud forensics logging and other services (p.11).