NEW DELHI (AP) — Last month, a cybersecurity startup told a major Indian online insurance brokerage that it deemed critical…
NEW DELHI (AP) — A cybersecurity startup told a major Indian online insurance brokerage last month that it had discovered critical vulnerabilities in the company’s Internet network that could expose the sensitive personal and financial data of at least 11 million customers to malicious hackers.
The startup followed standard ethical hacking guidelines, giving Policybazaar, an insurance aggregator, time to fix the flaws and inform the authorities. The company did not seek permission in advance to test Policybazaar’s system, but said it believed it was justified, in part because it had employees who were customers.
A week later, on July 24, Policybazaar, which is publicly traded and counts Chinese conglomerate Tencent among its investors, notified Indian stock exchanges about the hack, but “no significant customer data was exposed.”
That said a little more.
The startup CyberX9 is not silent. Its CEO wants Indians to know that “several extremely critical” vulnerabilities were so easy to find that it was almost as if Policybazaar had deliberately left itself open to criminals or nation-state intrusion.
“It would be extremely easy for someone with good computer/IT knowledge to discover, exploit and merge all this data,” said CyberX9 director Himanshu Pathak.
The data includes not only names, home and email addresses, dates of birth and phone numbers, but also what people have to show to get insurance: digital copies of IDs, medical and financial documents, including tax returns, bills letters, bank statements, driver’s licenses and birth certificates, said CyberX9.
Policybazaar, a broker for various carriers and policy types that accounts for 90% of India’s online insurance aggregator market, collects data through user uploads and self-generated records. It included questionnaires filled out by members of the Indian armed forces – the company offers a range of insurance policies tailored to them – listing their rank, line of service and whether they work in dangerous areas and handle weapons and explosives.
The Associated Press contacted three people listed in the data sample, including copies of sensitive personal documents provided to CyberX9, one a soldier stationed in Ladakh, a region disputed by Pakistan and China. All three have confirmed that they are customers of Policybazaar. All said they were not aware of any security incidents.
According to filings on the website of Policybazaar’s parent company, PB Fintech Ltd., the site had 56 million registered users at the end of December, including 11 million “transacting customers” who purchased 25 million insurance policies.
Policybazaar did not respond to questions from the AP, except to say that it had patched the vulnerabilities it discovered and had turned the incident over to outside consultants for a forensic examination.
He did not confirm that CyberX9 alerted him to the vulnerabilities, describe how his IT system was “subject to illegal and authorized access” or explain what customer data was exposed. Policybazaar said the flaws were discovered on July 19, a day after CyberX9 said it first alerted the brokerage.
Pathak provided the AP with copies of his emails with India’s Computer Emergency Response Team (CERT-IN), which told Policybazaar on July 25 that the vulnerabilities had been patched, and with National Cyber Security spokesman Lt. Gen. Rajesh Pant. , who told Patak in a July 26 email: “Thanks for the message. Action will be taken against Policy Bazaar.”
Neither CERT-IN nor Pant responded to AP’s emails seeking comment.
CyberX9 said it decided to audit Policybazaar’s network for flaws after learning about the amount of sensitive and sensitive data the company handles during its November IPO.
He said he found five vulnerabilities and was able to obtain user data without an authorization check — and there was no limit to how many times an unauthorized user could do this extraction.
The researchers tested the vulnerabilities “by fully automating them with very simple scripts, all without any viable restrictions on your systems,” CyberX9 told Policybazaar in a technical report it sent to the company last month.
“Given the simplicity and ease of discovery and exploitation of these vulnerabilities, Policybazaar has clearly left the door open for threat actors to invade users’ lives.”
It was unclear whether CyberX9 would face any legal consequences for probing the Policybazaar system.
The incident highlights India’s “complex, confusing” cybersecurity environment, where government officials often fail to take steps to better protect networks, said Raman Jeet Singh Cheema, Asia policy director for the nonprofit internet rights group AccessNow.
He said he believes Policybazaar disclosed the vulnerability because insurance and securities regulators required it.
In India, as elsewhere, conscientious security researchers intent on preventing malicious hacks and ransomware attacks must tread carefully as they are constrained by vague computer crime laws. Indian laws make no distinction between malicious intent and ethics when it comes to discovering and exploiting flaws in software code.
“There’s an ambiguity in the law — it says you can’t test without permission and then you can investigate,” said Apar Gupta, executive director of the nonprofit Internet Freedom Foundation.
In September, he said, CERT-IN issued a policy on responsible disclosure that offers guidance for honest hackers, but it includes a disclaimer that nods to ambiguity. US law is also ambiguous, although the US Department of Justice announced a new policy in May that “bona fide security research should not be charged for.”
This means that the system favors the brash and bold, who also better have good lawyers.
Security experts said it appears the CyberX9 researchers, as customers of Policybazaar, had good reason to probe the company’s digital edifice for easily exploitable flaws, provided they did so responsibly.
In a report to Policybazaar, CyberX9 said it would be happy to receive a so-called “bug” reward – which some companies typically pay researchers for finding flaws in good faith – “although it is not mandatory”.
Patak said no such reward was paid.
India, with 800 million internet users, also has no data protection law, although in 2017 the country’s Supreme Court recognized privacy as a fundamental right and ordered the government to draft legislation. The bill was delayed in parliament amid criticism of some provisions, including that it gave the government access to personal data in the name of “sovereignty”.
Parliament withdrew the law last week, saying it would start the process anew.
Digital experts say a data protection law is needed in India, where financial scams and data leakage are rampant. Her absence has exacerbated privacy concerns in a country where past incidents have led to leaks of people’s data by both private companies and the government.
Bajak reported from Boston.
Copyright © 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, written or distributed.