According to Tech Digest, the Cybernews research team discovered an unprotected data stream at insuretech firm Companjon in late August, leaking millions of records over several hours via an Apache Kafka server. Over seven days, more than 15 million records passed through, suggesting the total leak could have reached hundreds of millions. The Dublin-based firm, which provides embedded insurance for major travel platforms like Trainline, Omio, and TripX, exposed API logs containing highly sensitive future-dated travel itineraries—with details like routes and carriers planned as far out as 2026. While most records held travel and financial data, over 15,000 included full names and email addresses. Researchers spent months trying to alert Companjon, with the leak finally being secured in late November, months after its discovery.
B2B Backdoors Are A Nightmare
Here’s the thing that should keep every CISO up at night: your security is only as strong as your most vulnerable vendor. Companjon wasn’t a consumer-facing brand most people would recognize. It was a behind-the-scenes B2B provider. But that “less visible” status, as the researchers put it, created a massive backdoor into the data of millions of customers across multiple giant platforms. Trainline, Omio, TripX—they all trusted Companjon to handle sensitive data securely. And that single point of failure failed spectacularly. It’s a perfect case study in third-party risk. Companies pour millions into their own security, but one vendor’s misconfigured server can blow it all apart.
Why This Data Is So Dangerous
This wasn’t just a list of old email addresses. The combination of data types here is what makes it uniquely toxic for fraud. Think about it. You have future travel itineraries: exact dates, routes, and carriers. You have personal info like names and emails. With that, a scammer can craft a scarily convincing phishing attack. They could email you a week before your 2025 flight, posing as the airline, and say there’s a problem with your booking. Or, as researchers warned, impersonate hotel staff to threaten a cancellation. The victim is already primed to be anxious about the trip, making them way more likely to click a malicious link or make a fraudulent payment. It’s social engineering with a precision-guided dataset.
The Slow Response Is Part Of The Problem
Now, let’s talk about the timeline. The leak was found in late August. It wasn’t secured until late November. That’s a gap of about three months where this data was wide open. Cybernews says they spent “multiple months” trying to inform the company. So what happened? Was there no clear channel for reporting a critical vulnerability? Was it ignored? We don’t know the specifics, but a lag that long is unacceptable. Every day that passes is another day for a bad actor to potentially find that same open server. It shows that incident response isn’t just about having a plan for your own systems. You need a plan for when your vendors are the ones on fire, and you might not even know it.
A Cautionary Tale As The Lights Go Out
There’s a final, almost ironic twist to this story. The disclosure comes as Companjon is winding down its operations. Its parent company, La Mobilière, is pulling the plug to focus on its core business. So, in a way, this leak is like a final, glaring spotlight on a company that’s already exiting stage left. But the implications aren’t going away. For other businesses, especially in sectors like travel, finance, or anywhere sensitive data is handed off to third-party processors, this is a stark warning. You have to audit your vendors like you audit yourself. Because when their security fails, it’s your customers who get hurt, and your brand’s trust that takes the hit. And in today’s landscape, that’s a hit many companies can’t afford.
