A small cybersecurity company informed Policybazaar last month that it had found severe security flaws in the organization's internet-facing network that could expose the private financial and personal information of at least 11 million customers to malicious hackers.
The unnamed firm used the typical ethical hacker strategy, which gave Policybazaar, the insurance aggregator, time to fix the bugs and notify the authorities. It said that it felt legal, in part because it had workers who were clients, but it did not get permission in advance to test Policybazaar's technology.
On July 24, a publicly held entity Policybazaar — which counts Tencent among its investors — notified India's stock markets that it had suffered an unauthorized breach, but "no substantial customer data was compromised."
Flaw analysis
CyberX9's director Himanshu Pathak said that anyone with decent computer/IT expertise could have easily found, used, and leaked all of this material.
CyberX9, a startup, is not passive. The company's managing director wants Indians to be aware that since many extremely significant flaws were so simple to find, it appeared as though Policybazaar had purposefully left itself vulnerable to hacking by criminals.
The data also contains copies of the identification, health, and financial documents that people must present in order to obtain insurance, such as tax returns, pay stubs, bank statements, driver's licenses, and birth certificates. 90% of India's internet insurance aggregator market is claimed by Policybazaar, a broker for various carriers and types of policies that collects data through user uploads and self-generated records.
The Associated Press contacted three of the people listed in the sample material, which included copies of private data from CyberX9, one of whom was a soldier stationed in Ladakh, a region that is disputed by Pakistan and China. All three of them acknowledged that they were Policybazaar users. All of them claimed they were unaware of any security incident.
56 million users were enrolled on Policybazaar at the end of December, with 11 million of them as 'transacting clients' who bought 25 million insurance policies, according to documentation on the website of Policybazaar's parent firm, PB Fintech Ltd.
Other than to declare that it had corrected the discovered vulnerabilities and had forwarded the incident to outside consultants for a forensic audit, Policybazaar refused to answer the queries from the AP.
After learning about the volume of private and sensitive data that Policybazaar was in charge of maintaining during its November IPO, CyberX9 claimed it made the decision to check Policybazaar's network for vulnerabilities.
There were no limitations on the number of times an unauthorized user could perform such a retrieval, per the report, which detected five vulnerabilities and was able to collect user data without requesting permission.
Data privacy in India
The founder of SecureLayer7, Sandeep Kamble, said that the handling of these cases by the legal system is immature since most judges lack the necessary technological knowledge.
Despite the nation's top court deemed privacy to be a fundamental right in 2017 and ordered the government to draft legislation, India, which has 800 million internet users, also lacks a data protection law. Criticism of some of the bill's provisions, such as one that allowed the government access to personal data in the interest of 'sovereignty,' caused a delay in its consideration in Parliament.
A data protection law is deemed required in India, where financial fraud and data leaks are common, as per digital experts. Due to previous events in which both private companies and the government leaked people's data, its absence has raised privacy issues in the nation.
