This time it's a Sri Lankan insurance company, Continental Insurance Lanka Limited (https://cilanka.com), which has 58 branches across Sri Lanka. This extensive branch network is designed to provide close and convenient service to its customers nationwide. Continental Insurance offers a wide range of personal and business insurance solutions.
DATA
 |
| Sample of the files exposed in the citanka.com open directory |
This insurer exposed an open directory of 1.70GB in size with data in XLSX and JSON formats. This was exposed from the beginning of 2025—imagine how long it was exposed.
Among the exposed data were files called "claims" in JSON format. This reviewed file contained 3,657 medical insurance claim records.
Among the exposed data were files called "claims" in JSON format. This reviewed file contained 3,657 medical insurance claim records.
What data do the files contain?
Employee/Patient, Internal CEA Reference, Reason for consultation, Claim Type, Claimed Amount, Amount Not Paid, Amount Finally Paid, Consultation Date, Date the Insurance Company Was Notified, Payment Date, Hospital/Clinic, Check Number, Status.
But where were the insured parties in this file from?
From The Central Environmental Authority (CEA), https://www.cea.lk, the leading institution for environmental protection and management in the country.
Notification:
I notified the company on November 2nd via email to inform them of the situation and the information I was providing. This matter was closed on November 5th without a response from the insurer. I also didn't see any announcement on their website warning about this situation. Did the insurer notify the CEA (Central Environmental Authority of Sri Lanka) about the information I provided? We don't know, and we won't know, since no one responded to my emails.
.png)
