Security firm finds flaws in Indian online insurance broker

Aug 10, 2022, 3:37 AM | Updated: Aug 12, 2022, 3:01 pm

A man looks at the website of policybazaar website at a local insurance company office in Mumbai, I...

A man looks at the website of policybazaar website at a local insurance company office in Mumbai, India, Wednesday, Aug. 10, 2022. A cybersecurity firm told the major Indian online insurance brokerage last month that critical vulnerabilities in the company’s internet-facing network could expose sensitive personal and financial data from its 11 million customers. CyberX9 followed the standard ethical-hacker playbook, giving the brokerage time to patch the flaws and inform authorities. A week later, publicly traded Policybazaar said it had been illegally breached but “no significant customer data was exposed.” (AP Photo/Rafiq Maqbool)

(AP Photo/Rafiq Maqbool)

NEW DELHI (AP) — Last month, a cybersecurity startup told a major Indian online insurance brokerage it had found critical vulnerabilities in the company’s internet-facing network that could expose sensitive personal and financial data from at least 11 million customers to malicious hackers.

The startup followed the standard ethical-hacker playbook, giving Policybazaar, the insurance aggregator, time to patch the flaws and inform authorities. It did not seek authorization in advance to test Policybazaar’s system but said it considered itself justified, in part because it had employees who were customers.

A week later, on July 24, Policybazaar, which is publicly traded and counts the Chinese conglomerate Tencent among its investors, notified India’s stock exchanges it had been illegally breached but “no significant customer data was exposed.”

It said little more.

The startup, CyberX9, is not keeping quiet. Its managing director wants Indians to know that the “multiple extremely critical” vulnerabilities were so easy to find it was almost as if Policybazaar intentionally left itself open to criminal or nation-state intrusion .

“It would’ve been extremely easy for anyone with good computer/IT knowledge to discover, exploit, and leak all of this data,” CyberX9 director Himanshu Pathak said.

The data include not just names, home and email addresses, dates of birth and phone numbers but what people must show to get insurance: digital copies of identification, health and financial documents including tax returns, pay slips, bank statements, driver licenses and birth certificates, CyberX9 said.

A broker for multiple carriers and types of policies that claims 90% of India’s online insurance aggregator market, Policybazaar amasses data through user uploads and self-generated records. It included questionnaires that Indian armed forces members filled out — the company offers various insurance policies tailored to them — listing their ranks, branch of service, and whether they work in danger zones and handle weapons and explosives.

The Associated Press reached three people listed in sample data including copies of sensitive personal documents provided by CyberX9, one a soldier stationed in Ladakh, a region in dispute with Pakistan and China. All three confirmed they were Policybazaar customers. All said they had not been made aware of any security incident.

According to documents on the website of Policybazaar’s parent company, PB Fintech Ltd., 56 million people were registered on the site at the end of December, including 11 million “transacting customers” who purchased 25 million insurance policies.

Policybazaar would not respond to questions from the AP, other than to say it had fixed the identified vulnerabilities and referred the incident to external advisers for a forensic audit.

It did not confirm that CyberX9 had alerted it to the vulnerabilities, describe how its IT system was “subject to illegal and authorized access” or explain what customer data was exposed. Policybazaar said the flaws were identified on July 19, the day after CyberX9 says it first alerted the brokerage.

Pathak provided the AP with copies of his email exchanges with India’s Computer Emergency Response Team (CERT-IN), which said on July 25 that Policybazaar reported the vulnerabilities had been fixed, and with a national cyber security official, Lt. Gen. Rajesh Pant, who told Pathak in a July 26 email: “Thanks for informing. Shall initiate action against Policy Bazaar.”

Neither CERT-IN nor Pant responded to AP emails seeking comment.

CyberX9 said it decided to probe Policybazaar’s network for flaws after learning during its November IPO how much sensitive and confidential data the company was managing.

It said it found five vulnerabilities and was able to retrieve user data with no authorization check — and there were no restrictions on how many times an unauthorized user could make such a retrieval.

The researchers tested the vulnerabilities “by fully automating them using very simple scripts, all of this without facing any viable restrictions by your systems,” CyberX9 told Policybazaar in the technical report it sent the company last month.

“Considering the simplicity and ease of discovery and exploitation of these vulnerabilities, Policybazaar have clearly left the doors open to threat actors to invade the lives of its users.”

It was unclear whether CyberX9 will face any legal repercussions for probing Policybazaar’s system.

The incident highlights India’s “complicated, messed-up” cybersecurity environment, where government officials often do not follow up to ensure better-protected networks, said Raman Jit Singh Chima, Asia policy director for the online rights nonprofit group AccessNow.

He said he believed Policybazaar made the vulnerability disclosure because insurance and securities regulators require it.

In India, as elsewhere, good-faith security researchers intent on preventing malicious hacks and ransomware attacks must tread carefully as they are constrained by vague computer crime laws. India’s laws draw no distinctions in malice and ethics when it comes to identifying and exploiting weaknesses in software code.

“There is ambiguity in the law — it says you can’t test without permission and only after that can you probe,” said Apar Gupta, executive director of the nonprofit Internet Freedom Foundation.

CERT-IN issued a responsible disclosure policy in September offering good-faith hackers guidelines, he said, but it includes a disclaimer that nods to the ambiguity. U.S. law is also ambiguous, though the U.S. Justice Department announced a new policy in May directing that “good-faith security research should not be charged.”

That means the system favors the brash and the bold, who better also have good lawyers.

Security experts said it seems the CyberX9 researchers, as Policybazaar customers, had good cause to probe the company’s digital edifice for easily exploited flaws as long as they did it responsibly.

In its report to Policybazaar, CyberX9 said it would be pleased to receive a so-called “bug bounty” reward — which some companies customarily pay researchers for good-faith flaw identification — “though it is not necessary.”

Pathak said no such reward was paid.

India, with 800 million internet users, also does not have a data protection law even though the country’s top court in 2017 held privacy as a fundamental right and directed the government to draw up legislation. In Parliament, the bill was delayed by criticism over some provisions, including one that gave the government access to personal data in the name of “sovereignty.”

Last week, Parliament withdrew the legislation, saying it would start the process anew.

Digital experts say a data protection law is necessary in India where financial fraud and data leaks are rampant. Its absence has exacerbated privacy concerns in the country, where past incidents have seen both private companies and the government leak people’s data.

___

Bajak reported from Boston.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


              A woman shows her account at policybazaar app on her phone in Mumbai, India, Wednesday, Aug. 10, 2022. A cybersecurity firm told the major Indian online insurance brokerage last month that critical vulnerabilities in the company’s internet-facing network could expose sensitive personal and financial data from its 11 million customers. CyberX9 followed the standard ethical-hacker playbook, giving the brokerage time to patch the flaws and inform authorities. A week later, publicly traded Policybazaar said it had been illegally breached but “no significant customer data was exposed.” (AP Photo/Rafiq Maqbool)
            
              A man looks at the website of policybazaar website at a local insurance company office in Mumbai, India, Wednesday, Aug. 10, 2022. A cybersecurity firm told the major Indian online insurance brokerage last month that critical vulnerabilities in the company’s internet-facing network could expose sensitive personal and financial data from its 11 million customers. CyberX9 followed the standard ethical-hacker playbook, giving the brokerage time to patch the flaws and inform authorities. A week later, publicly traded Policybazaar said it had been illegally breached but “no significant customer data was exposed.” (AP Photo/Rafiq Maqbool)

AP

FILE - Gabby Petito's mother Nichole Schmidt, wipes a tear from her face during a news conference o...

Associated Press

Mother of man who killed Gabby Petito said in letter she would help son ‘dispose of a body’

The mother of the man who killed Gabby Petito told her son in an undated letter that she would “dispose of a body” if needed because she loved him so much, according to copies of the note shared publicly for the first time this week by attorneys for Petito's parents.

4 days ago

A member of the 3rd U.S. Infantry Regiment, also known as The Old Guard, places flags in front of e...

Associated Press

5 things to know about Memorial Day including its controversies

Memorial Day is supposed to be about mourning the nation’s fallen service members, but it’s come to anchor the unofficial start of summer and a long weekend of discounts on anything from mattresses to lawn mowers.

4 days ago

FILE - This artist sketch depicts the trial of Oath Keepers leader Stewart Rhodes, left, as he test...

Associated Press

Officers describe chaos, fear on Jan. 6 as judge weighs prison time for Oath Keepers’ Rhodes

Police officers who defended the U.S. Capitol on Jan. 6, 2021, and public servants who fled the mob's attack told a judge on Wednesday that they are still haunted by what they endured, as the judge prepares to hand down sentences in a landmark Capitol riot case.

5 days ago

Pride month merchandise is displayed at the front of a Target store in Hackensack, N.J., Wednesday,...

Associated Press

Target on the defensive after removing LGBTQ+-themed products

Target once distinguished itself as being boldly supportive of the LGBTQ+ community.

6 days ago

(Photo By Tom Williams/CQ Roll Call via Getty Images)...

Associated Press

Former Arizona television journalist announces bid for Schweikert’s US House seat

A former Phoenix television journalist announced her candidacy Wednesday for the congressional seat currently held by seven-term Republican Rep. David Schweikert.

6 days ago

Tortoise by Henry Davis earned an honorable mention in the "Adventures in Nature” student photo c...

Associated Press

When you adopt a desert tortoise, prepare for a surprisingly social and zippy pet

They’re not fluffy, they don’t play fetch and they certainly don’t roll over. But there is such a thing as a lap tortoise.

7 days ago

Sponsored Articles

...

OCD & Anxiety Treatment Center

5 mental health myths you didn’t know were made up

Helping individuals understand mental health diagnoses like obsessive compulsive spectrum disorder or generalized anxiety disorder isn’t always an easy undertaking. After all, our society tends to spread misconceptions about mental health like wildfire. This is why being mindful about how we talk about mental health is so important. We can either perpetuate misinformation about already […]

(Photo: OCD & Anxiety Treatment Center)...

OCD & Anxiety Treatment Center

Here’s what you need to know about OCD and where to find help

It's fair to say that most people know what obsessive-compulsive spectrum disorders generally are, but there's a lot more information than meets the eye about a mental health diagnosis that affects about one in every 100 adults in the United States.

(Desert Institute for Spine Care in Arizona Photo)...

Desert Institute for Spine Care in Arizona

5 common causes for chronic neck pain

Neck pain can debilitate one’s daily routine, yet 80% of people experience it in their lives and 20%-50% deal with it annually.

Security firm finds flaws in Indian online insurance broker