Student health insurance carrier Guard.me suffers a data breach

Student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders' personal information.

guard.me is one of the world's largest insurance carriers specializing in providing health insurance to students while traveling or studying abroad in another country.

On May 12th, Guard.me discovered suspicious activity on their website that led them to take down their website. When visiting the website, visitors are automatically redirected to a maintenance page warning that the site is down while the insurance provider increases security on the site.

"Recent suspicious activity was directed at the guard.me website and in an abundance of caution we immediately took down the site. Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible." reads the guard.me website.

Today, guard.me began emailing students a data breach notification seen by BleepingComputer that states a website vulnerability allowed unauthorized persons to access policyholders' personal information.

"In the late evening of May 12, 2021 our Information Systems team discovered unusual activity on our website and as a precaution they immediately took down the website and took immediate steps to secure our systems. The vulnerability has been addressed.  Our experts are diligently investigating the matter further," says Guard.me data breach notification.

This vulnerability allowed the threat actor to access students' dates of birth, genders, and encrypted passwords. For some students, their email addresses, mailing addresses, and phone numbers were also exposed.

guard.me states that they have fixed the vulnerability and that it has withstood further attempts by their cybersecurity team to bypass the additional safeguards.

The insurance carrier also states that they are instituting new policies for increased security, including database segmentation and two-factor authentication.

Being a Canadian company, it is not clear if guard.me disclosed the breach to the Privacy Commissioner of Canada and has not responded to BleepingComputer's requests for more information.