Skip to content
Back to work
Financial ServicesExpanded

29 findings. 1,890 individuals at risk. One authorized test.

An insurance agency authorized a security assessment of their primary operations platform. We found 29 vulnerabilities — nine critical — and exposure affecting thousands of their customers.

29

Vulnerabilities found

9

Critical severity

1,890+

Individuals at risk

The challenge

An insurance agency principal had a specific concern: her primary operations platform was handling sensitive client data, and she didn't know what security controls the vendor had actually implemented versus what they'd promised in their sales process.

The question wasn't theoretical. Insurance agencies operate under state regulatory requirements for data security. A vendor breach that exposed client PII creates direct regulatory exposure for the agency, not just the vendor. The principal wanted to know her actual risk before regulators or a threat actor found out first.

Authorization was signed before any testing began: an IC agreement and CNDA that documented scope, authorization, and constraints. All testing was external, black-box only. No credentials. No active exploitation. OSINT and external security assessment against the vendor's internet-facing systems and published data handling practices.

What we found

The assessment covered the vendor's ARC system — their primary operations and document management platform handling policy documents, client records, agent data, and communications.

The findings broke down as follows:

Nine critical findings — including unauthenticated access paths, credential exposure in publicly indexed repositories, and data handling practices that violated the vendor's own published security standards.

Ten high-severity findings — including insufficient access controls, audit log gaps, and third-party integrations that expanded the attack surface beyond what the agency knew existed.

Ten medium-severity findings — information disclosure issues, configuration problems, and secondary exposure vectors that would accelerate exploitation if combined with critical findings.

The most consequential finding was the scope of exposed customer data: 21,000+ files containing PII for 1,890+ individuals were accessible through paths that required no authentication and no specialized knowledge. The exposure was not theoretical — it was a URL pattern that any automated scanner would discover within minutes.

The regulatory exposure analysis estimated potential penalties in the range of $14–18M based on applicable state data security statutes and the number of affected individuals — a number that dwarfed the vendor's annual contract value for the agency.

The framework

We assessed the engagement under the PurviewX Pressure Test framework. Every finding is scored with CVSS v3.1. Evidence is documented and preserved before any report is generated. The minimum extraction principle applies throughout: prove the vulnerability exists, do not exfiltrate bulk data.

The deliverables were two documents: a technical report with full CVSS scoring, attack chain documentation, and evidence references; and an executive briefing written for the principal and her legal counsel — no technical jargon, clear statements of risk, and actionable remediation recommendations organized by priority.

The executive briefing is the deliverable that drives decisions. A technical report that can only be read by a security engineer doesn't create organizational action. The briefing format was designed to be handed to the agency's attorney, their state regulatory contact if needed, and the vendor's executive team as the basis for a remediation demand.

The engagement expanded

After reviewing the findings, the principal authorized an expansion of the engagement.

The original scope was one vendor. The expansion added two additional vendor relationships that the assessment had identified as potential exposure vectors through the primary vendor's third-party integrations. Each additional vendor went through the same framework: authorization documented, scope defined, findings CVSS-scored, evidence preserved, report delivered in both technical and executive format.

The expansion wasn't driven by alarm. It was driven by the fact that the initial report gave the principal a clear picture of what she was dealing with and what the assessment process looked like. She knew exactly what questions were being asked and what the answers would look like.

Lessons

  • Vendor security is the agency's risk. Every insurance agent signing a contract with a software vendor is accepting a share of that vendor's security posture. Understanding what you've accepted requires looking at the vendor from the outside — which is exactly what a threat actor would do.
  • Regulatory exposure quantification changes the conversation. A finding that says "customer data was exposed" is concerning. A finding that says "customer data exposure carries $14–18M in estimated regulatory penalties" creates urgency. The financial framing is not scaremongering — it's the correct way to evaluate a business risk.
  • Executive briefing format determines organizational impact. Security reports that can only be read by security engineers don't drive remediation. Reports written for the CEO, the principal, and legal counsel do.
  • Expansion follows credibility. Every engagement we've run that expanded after the initial report expanded because the initial report was credible, complete, and actionable — not because we pitched the next phase.

PurviewX delivers authorized security assessments for organizations that need to understand their vendor exposure before regulators or threat actors do. Start a conversation.

Want results like these?

Start with an honest conversation about your data.

Start a conversation
Back to work