NEW DELHI ( Associated Press) – Last month, a small cybersecurity firm told a leading Indian online insurance brokerage firm that it found critical vulnerabilities in the company’s Internet-facing network, which could store sensitive personal and financial data of at least 11 million customers. exposed to malicious hackers.
The little-known firm followed the standard ethical-hacker playbook, giving PolicyBazaar, the insurance aggregator, time to plug the loophole and notify the authorities. It did not seek authorization in advance to test PolicyBazaar’s system, but said it considered itself appropriate, as it had employees who were customers.
A week later, on July 24, PolicyBazaar, which is publicly traded and counts Chinese conglomerate Tencent among its investors, informed India’s stock exchanges that it had been illegally violated. But “no important customer data was exposed.”
It said a little more.
Startup CyberX9 is not keeping quiet. Its managing director wants Indians to know that “many extremely important” vulnerabilities were so simple that it was almost as if PolicyBazaar deliberately left itself open to criminal or nation-state infiltration.
Himanshu Pathak, director, CyberX9, said, “It would have been very easy for anyone with a good knowledge of computer/IT to find, exploit and leak all this data.”
The data includes not only names, home and email addresses, dates of birth and phone numbers, but what people must show in order to obtain insurance: tax returns, salary slips, bank details, drivers licenses and identity, including birth, health and financial Certificates digital copies of documents, CyberX9 said.
A broker for multiple carriers and policy types claiming 90% of India’s online insurance aggregator market, PolicyBazaar aggregates data through user uploads and self-generated records. This included questionnaires that were filled out by members of the Indian Armed Forces – the company offers various insurance policies to suit them – their rank, branch of service, and whether they work in danger areas and handle weapons and explosives.
The Associated Press reached out to three people listed in sample data, which includes copies of sensitive personal documents provided by CyberX9, a soldier stationed in Ladakh, an area disputed with Pakistan and China. The trio confirmed that they are Policybazaar customers. All said that they were not made aware of any security incident.
As per the documents on the website of the parent company of PolicybazaarPB Fintech Ltd. had 56 million people registered on the site at the end of December, including 11 million “transacting customers” who bought 25 million insurance policies.
Policybazaar would not respond to Associated Press’s questions, other than to say that it has fixed the identified vulnerabilities and referred the incident to external consultants for forensic audit.
It did not confirm whether CyberX9 alerted it to the vulnerabilities, describe how its IT systems were “subject to illegal and authorized access” or explain what customer data was exposed. Policybazaar said the flaw was identified on July 19, the day after CyberX9 said it had first alerted the brokerage.,
Pathak provided the Associated Press with copies of his email exchanges with India’s Computer Emergency Response Team (CERT-IN), which said on July 25 that Policybazaar had reported the vulnerabilities had been fixed, and a national With Cyber Security Officer Lt Gen Rajesh Pant. , who told the reader in an email on July 26: “Thanks for the information. Will initiate action against Policy Bazaar.
Neither CERT-IN nor Pant responded to an Associated Press email seeking comment.
CyberX9 said it decided to investigate PolicyBazaar’s network flaws after learning how sensitive and confidential data the company was handling during its November IPO.
It said it found five vulnerabilities and was able to retrieve user data without any authorization checks — and there was no restriction on how many times an unauthorized user could perform such a recovery.
In a technical report that CyberX9 sent to the company last month, CyberX9 told PolicyBazaar that researchers tested vulnerabilities “by fully automating them using very simple scripts, all without facing any viable restrictions by your system”. did.
“Considering the simplicity and ease of discovery and exploitation of these vulnerabilities, PolicyBazaar has clearly left the doors open for threatening actors to invade the lives of its users.”
It was not clear whether CyberX9 would face any legal repercussions for investigating PolicyBazaar’s systems.
The incident highlights the gray area in which many security researchers work globally, including in India. Security researchers with good faith intent to prevent malicious hacks and ransomware attacks should tread carefully in India as its computer crime law makes no distinction between malice and ethics in identifying and exploiting vulnerabilities in software code.
“There is ambiguity in the law – it says you can’t test without permission and only then can you test,” said Apar Gupta, executive director of the non-profit Internet Freedom Foundation.
CERT-IN issued a Responsible Disclosure Policy in September, which offered good-faith hacker guidelines, but included a disclaimer that pointed to ambiguity. US law is also unclear, although the US Department of Justice announced a new policy in May directing that “good faith security research should not be charged.”
Sandeep Kamble, founder of Indian firm SecureLayer7, said the judicial system is “totally immature” in dealing with such cases as judges generally lack technical skills. This means that the system favors brash and courageous people who also have good lawyers.
Kamble and Gupta said it appears that CyberX9 researchers, as customers of PolicyBazaar, had good reason to investigate the easily exploitable flaws of the company’s digital architecture, as long as they did it responsibly.
In its report to PolicyBazaar, CyberX9 said it would be happy to receive a so-called “bug bounty” bounty — which some companies pay researchers for goodwill defect detection — “although it is not required.”
Pathak said that no such reward was given.
India, with 800 million internet users, does not even have a data protection law, even though in 2017 the country’s top court held privacy as a fundamental right and directed the government to legislate. In Parliament, the bill was delayed due to criticism over some provisions that gave the government access to personal data in the name of “sovereignty”.
Last week, parliament withdrew the law, saying it would start the process anew.
Digital experts say data protection legislation is essential in India where financial fraud and data leaks are rampant. Its absence has raised privacy concerns in the country, where both private companies and the government have leaked people’s data in past incidents.
Bajak reported from Boston.