Security Firm Finds Flaws in Indian Online Insurance Broker

NEW DELHI (AP) — Last month, a small cybersecurity firm told a major Indian online insurance broker that it had discovered critical vulnerabilities in the company’s Internet network that could expose personal data and sensitive financials of at least 11 million customers to malicious hackers.

The little-known company followed the standard ethical hacker playbook, giving insurance aggregator Policybazaar time to fix flaws and notify the authorities. He didn’t ask for prior permission to test Policybazaar’s system but said he felt justified in part because he had employees who were customers.

A week later, on July 24, Policybazaar, which is listed on the stock exchange and counts Chinese conglomerate Tencent among its investors, informed Indian stock exchanges that it had been illegally breached, but “no meaningful customer data was exposed. “.

He didn’t say much more.

The startup, CyberX9, is not keeping quiet. Its chief executive wants Indians to know that the “extremely critical multiple” vulnerabilities were so easy to find that it was almost as if Policybazaar intentionally left itself open to criminal or nation-state intrusion.

“It would have been extremely easy for anyone with a good computer/IT knowledge to discover, mine and leak all of this data,” said Himanshu Pathak, director of CyberX9.

The data includes not only names, home and email addresses, dates of birth and phone numbers, but also what people need to show to obtain insurance: digital copies of identity documents, health and financial information, including tax returns, payslips, bank statements, driver’s licenses and birth certificates. certificates, CyberX9 said.

A broker for multiple insurers and policy types that claims 90% of India’s online insurance aggregator market, Policybazaar collects data through user uploads and self-generated registrations. It included questionnaires that members of the Indian Armed Forces filled out – the company offers various insurance policies tailored to them – listing their ranks, branch of service and whether they work in hazardous areas and handle weapons and explosives. .

The Associated Press reached three people listed in sample data, including copies of sensitive personal documents provided by CyberX9, a soldier stationed in Ladakh, a region in conflict with Pakistan and China. All three have confirmed that they are Policybazaar customers. All said they had not been informed of any security incident.

According to documents from the website of Policybazaar’s parent company, PB Fintech Ltd., 56 million people were registered on the site at the end of December, including 11 million “merchant customers” who purchased 25 million insurance policies.

Policybazaar did not respond to questions from the AP except to say it had fixed the identified vulnerabilities and referred the incident to outside advisers for a forensic audit.

He did not confirm that CyberX9 alerted him to the vulnerabilities, describe how his computer system was “subject to unlawful and authorized access” or explain what customer data was exposed. Policybazaar said the flaws were identified on July 19, the day after CyberX9 said it first alerted the brokerage.

Pathak provided the AP with copies of his email exchanges with India’s Computer Emergency Response Team (CERT-IN), which said on July 25 that Policybazaar reported that the vulnerabilities had been patched, and with a national cybersecurity official, Lt. Gen. Rajesh Pant. , who told Pathak in a July 26 email, “Thank you for informing. Must take action against Policy Bazaar.

Neither CERT-IN nor Pant responded to AP emails seeking comment.

CyberX9 said it decided to probe Policybazaar’s network for vulnerabilities after learning during its IPO in November how much sensitive and confidential data the company was handling.

He said he found five vulnerabilities and was able to recover user data without authorization check -_ and that there were no restrictions on the number of times an unauthorized user could perform such recovery .

The researchers tested the vulnerabilities “fully automating them using very simple scripts, all without facing any viable restrictions from your systems,” CyberX9 told Policybazaar in the technical report it has. sent to the company last month.

“Given the simplicity and ease of discovering and exploiting these vulnerabilities, Policybazaar has clearly left the doors open for threat actors to invade the lives of its users.”

It was unclear whether CyberX9 would face legal repercussions for probing Policybazaar’s system.

The incident highlights the gray area in which many security researchers operate around the world, including in India. Bona fide security researchers keen to prevent malicious hacks and ransomware attacks should exercise caution in India, as its Computer Crimes Act makes no distinction between maliciousness and ethics when it comes to identify and exploit weaknesses in software code.

“There’s an ambiguity in the law – it says you can’t test without permission and only after that can you probe,” said Apar Gupta, executive director of the nonprofit Internet Freedom Foundation.

CERT-IN released a responsible disclosure policy in September offering good faith guidelines for hackers, he said, but it includes a disclaimer that nods to ambiguity. US law is also ambiguous, although the US Department of Justice announced a new policy in May stating that “good faith security research should not be charged for”.

Sandeep Kamble, founder of India’s SecureLayer7, said the judiciary is “completely immature” in its handling of such cases, as judges generally lack technical acumen. This means that the system favors the brash and the daring, who better have good lawyers too.

Kamble and Gupta said it appears CyberX9 researchers, as Policybazaar customers, had good reason to probe the company’s digital edifice for easily exploitable flaws as long as they did. responsible manner.

In its report to Policybazaar, CyberX9 said it would be happy to receive a so-called “bug bounty” reward – which some companies usually pay researchers for good faith identification of flaws – “although this is not not necessary”.

Pathak said no such reward was paid.

India, with 800 million internet users, also has no data protection law, even though the country’s highest court in 2017 deemed privacy a fundamental right and ordered the government to develop legislation. In parliament, the bill has been held up by criticism of certain provisions, including one that allowed the government to access personal data in the name of “sovereignty”.

Parliament last week withdrew the bill, saying it would restart the process.

Digital experts say a data protection law is needed in India, where financial fraud and data leaks are rampant. His absence has exacerbated privacy concerns in the country, where past incidents have seen private companies and the government leak personal data.

–Bajak reported from Boston.

From the photo: A man checks the Policybazaar website at a local office of an insurance company in Mumbai, India, Wednesday, August 10, 2022. A cybersecurity company told the leading broker last month Indian online insurance company that critical vulnerabilities in Internet network could expose the sensitive personal and financial data of its 11 million customers. CyberX9 followed the standard ethical hacker playbook, giving the brokerage time to fix the flaws and notify the authorities. A week later, the publicly traded Policybazaar said it had been illegally breached, but “no significant customer data was exposed.” (AP Photo/Rafiq Maqbool)

Copyright 2022 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Comments are closed.