Insuretech firm Companjon leaks millions of private travel records, Cybernews reports
Insuretech firm Companjon has exposed millions of personal records, including future travel data, according to an investigation by the Cybernews research team.
The leak highlights the vulnerability of B2B vendors, which can compromise the sensitive data of customers across multiple large-scale platforms.
The Cybernews research team discovered the unprotected instance in late August, leaking millions of records over several hours via Apache Kafka Stream. Businesses utilize Kafka to process real-time data, meaning that observing historical data is not possible.
However, the team noticed that over 15 million records passed through the instance over seven days, which means the true extent of the leak could well have been in the hundreds of millions.
Companjon, which partners with major travel companies like Trainline, Omio, and TripX to provide embedded insurance, was leaking logs that contained application programming interface (API) interactions from these major partners.
The most sensitive exposed details included future-dated travel itineraries, revealing exact routes, carriers, and travel dates as far out as 2026.
While the majority of records contained travel and financial data, over 15,000 records included personally identifiable information (PII) such as full names and email addresses.
Researchers warned that the combination of exposed personal details, financial, and future travel information creates the perfect environment for highly targeted fraud campaigns.
An attacker, for example, could impersonate hotel staff, threatening to cancel a future booking to coerce victims into making fraudulent payments.
The Cybernews team spent multiple months attempting to inform the Dublin-based insuretech firm of the leak. The issue was finally secured in late November, months after its initial discovery.
“This demonstrates how a single, less visible B2B vendor can compromise the data and trust of millions of customers across multiple large-scale platforms,” Cybernews researchers stated.
The disclosure comes as Companjon, a subsidiary of La Mobilière, is in the process of winding down its operations to allow the parent company to focus on its core business.
Discover more from Tech Digest
Subscribe to get the latest posts sent to your email.
