Insuretech firm leaks millions of personal records, future travel data

Published: 3 December 2025
Last updated: 3 December 2025
Companjon leaks millions of records and sensitive customer data

Companjon, an insurance technology company, exposed an unprotected Kafka stream, leaking millions of logs, including travel itineraries, full names, emails, and other personally identifiable information.

The Cybernews research team discovered the unprotected instance in late August, leaking millions of records over several hours via Apache Kafka Stream. Businesses utilize Kafka to process real-time data, meaning that observing historical data is not possible.

However, the team noticed that over 15 million records passed through the instance over seven days, which means the true extent of the leak could well have been in the hundreds of millions.

ADVERTISEMENT

After multiple attempts to inform the company about the leak, the issue was fixed in late November. We have reached out to Companjon for comment and will update the article once we receive a reply.

Companjon’s customers are companies, such as travel agencies, which individuals utilize to buy services. Companjon then takes end users’ data to provide insurance that the travel company may present as its own insurance or service.

Companjon data leak sample
Sample of the leaked data. Image by Cybernews.

What details did the Companjon data leak expose?

According to the team, the investigation identified over 15 million exposed logs across two topics, exposing application programming interface (API) interactions from major travel partners such as Trainline, Omio, and TripX.

The first topic contained 7.8 million records. Timestamps in the message headers indicated an accessible data window from August 20th, 2025, 13:12 UTC to August 28th, 2025, 11:44 UTC. The second topic held 7.3 million records. Timestamps in the message headers indicated an accessible data window from August 20th, 2025, 21:36 UTC to August 28th, 2025, 11:44 UTC.

The majority of the records only contained travel and financial data without customer information. However, researchers noted that leaked details included travel information and authorization tokens of providers. At least in theory, attackers could utilize this type of information for further attacks once inside the system.

“The investigation confirmed the leak was active, with the latest records appearing just hours before this report. This demonstrates how a single, less visible B2B vendor can compromise the data and trust of millions of customers across multiple large-scale platforms,”

researchers said.
ADVERTISEMENT

Over 15,000 records included customer details, such as full names, email addresses, and other personally identifiable information (PII). That constitutes 0.1% of all leaked records.

The team estimated that 960 million records may have been leaked throughout the time the instance was left unprotected. While it’s impossible to say what type of details were revealed without analyzing the whole batch, if the same 0.1% proportion for exposed PII were true, 960,000 user records would be exposed.

“The investigation confirmed the leak was active, with the latest records appearing just hours before this report. This demonstrates how a single, less visible B2B vendor can compromise the data and trust of millions of customers across multiple large-scale platforms,” the team explained.

Our researchers believe that attackers combining different data types from the leaked dataset pose the biggest danger. Exposed personal details, financial and location information, paired with future travel information, open customers to highly targeted fraud campaigns. For example, attackers could impersonate hotel staff, threatening to cancel hotel reservations in order to coax victims into paying.

Sample of Companjon data leak
Sample of the leaked data. Image by Cybernews.

Business winding down

Companjon partners with major European travel platforms, which means that the number and geography could be larger and wider than researchers initially uncovered. The company provides B2B2C (Business-to-Business-to-Consumer) services, mostly serving the digital e-commerce sector.

However, as of July, Companjon’s parent company, La Mobilière, decided to focus on its core business and started to wind down the Dublin-based insuretech firm’s operations. At the time of writing, Companjon’s website states exactly that, adding that it will “continue to service insurance products as before.”

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“Nevertheless, they continue to service existing insurance products, so there is still a big impact on all the customers until this is sorted out,” our researchers concluded.

ADVERTISEMENT

For one, the team noted that the leak included highly specific, future-dated travel itineraries, revealing exact routes, carriers, and travel dates for trips planned as far out as 2026.

  • Leak discovered: August 28th, 2025
  • Initial disclosure: August 29th, 2025
  • Irish CERT contacted: September 8th, 2025
  • Leak closed: November 27th, 2025

Unlock more exclusive Cybernews content on YouTube.


Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked