Investment firm Muddy Waters Research LLC has claimed that insurtech firm Lemonade has an “unforgivably negligent security flaw” in its website that potentially exposes customer data.
In a letter to Lemonade CEO Dan Schreiber, Muddy Waters asserts that major search engines have inadvertently accessed and indexed private data due to a bug that could implicate costly legal and regulatory breaches.
Muddy Waters is an activist investor that conducts investigative research on public companies, but it also takes investment positions, including shorting, the firms it researches.
As evidence, the investor says it was able to log in and edit Lemonade customer accounts just by clicking on results from public search engines, without having to provide any user credentials.
If true, the allegations mean that Lemonade would likely be in violation of European GDPR rules, as well as various cybersecurity requirements in the US.
Muddy Waters CEO Carson Block wrote that all Lemonade customers from July 2020 onwards could potentially affected by the security flaw, with the scope of the damage possibly including all Lemonade API integration partners, as well as all customers who have submitted personally identifiable information via the Lemonade API.
He added that it is unknown whether Lemonade data has been obtained by other crawlers or malicious parties or how long it will take to remediate the damage, and recommended that the insurtech should shut down its websites, APIs and mobile app until the exposure is rectified.
“Due to the ease with which a crawler could inadvertently stumble into a Lemonade user’s account; how lucrative the data stored there could be for identity thieves; and the relatively sizeable Lemonade user base, we fear there could be numerous harmed parties, but we are unable to provide an estimate of impact size,” Block stated.
“This vulnerability can easily be leveraged in phishing campaigns to potentially commandeer user accounts or user data, so we view it to be likely that a breach has already occurred,” he warned. “Lemonade users should be notified and should be on alert for potential follow-up phishing or spearphishing attacks.”
Lemonade has yet to respond to the claims about this potential security flaw, but it is worth restating that Muddy Waters does take investment positions in the companies it researches, and so may have a vested interest in the share price of Lemonade falling.
Notably, Muddy Waters went public with its report before privately informing Lemonade. It says this approach better holds companies accountable for their data breaches, although more cynical commentators could argue that there may also be a financial incentive.