Data Breach: Affects Student Health Insurance Carrier guard.me

After a vulnerability enabled a threat attacker to access policyholders’ personal details, student health insurance provider guard.me has taken their website offline. 

guard.me is among the world’s largest insurance providers in international education, protecting thousands of individuals studying and working abroad. Founded in 1998 and incorporated in Canada as Travel Healthcare Insurance Solutions Inc. 

On May 12th, after a vulnerability permitted a threat actor to access policyholders’ personal details, Guard.me discovered suspicious activity on their website. Visitors to the website are automatically redirected to a maintenance page informing them that the site is unavailable while the insurance provider enhances security. 

“Recent suspicious activity was directed at the guard.me website and in an abundance of caution we immediately took down the site. Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible.” displays on the guard.me website. 

Today, guard.me started sending out data breach notifications to students, according to BleepingComputer, stating that a website vulnerability enabled unauthorized people to access policyholders’ personal details. 

Our Information Systems team found suspicious activity on our website late on May 12, 2021, and as a precaution, they took down the website and took immediate measures to protect our systems. The security flaw has been fixed. Our investigators are working closely to discover more about the incident, guard.in states on the data breach notification. 

The threat actor was able to gain access to students’ dates of birth, sex, and encrypted passwords thanks to this flaw. The email addresses, mailing addresses, and phone numbers of certain students were also made public. 

The bug was patched, and urgent steps to protect their system were taken, according to the international student health insurance company, and it has withstood more attempts by their cybersecurity team to circumvent the additional protections. The insurance company also reports that they are implementing new security measures, including such as database segmentation and two-factor authentication. 

Guard.me is a Canadian corporation, so it’s unclear whether it informed the Privacy Commissioner of Canada about the violation, and it hasn’t responded to BleepingComputer’s requests for more details.