Policybazaar, a major Indian insurance aggregator funded by a Chinese investor, has allegedly exposed sensitive and confidential personal, health, and financial data of around 56.4 million of its customers including defense personnels and potentially compromises national security, a cyber security research firm has claimed.
National security agencies have initiated action against Policybazaar over exposing the data including personal identification information like Aadhar, Passport etc of the users, claimed the research firm CyberX9 in its latest report.
Policybazaar is an Indian insurance aggregator funded by Chinese’s Tencent Holdings. Policybazaar claims to have 56.4 million registered customers and India’s largest digital insurance market share of 93.4%.
According to another report, a Policybazaar spokesperson referred to its filing to the stock exchanges made on July 24 and said the identified vulnerabilities have been “duly fixed” as confirmed by an external advisor.
“A thorough forensic audit of the incident has been initiated with external advisors. The incident was covered by the media. We have nothing further to add,” the spokesperson said in a statement.
The online broker’s parent PB Fintech is listed on the stock exchanges.
What data was exposed?
The information that was being exposed by Policybazaar includes the following but not limited to,
– customers’ photo, full name, date of birth, complete residential address, email address, mobile number, credit report, PAN number, policy details including nominee details, family members’ policies details, bank account statements, income tax returns, Passport, immigration visa, records of country entry and exit, Aadhaar card (both sides), driving license, health records, payslips.
– sensitive details of defense personal who are Policybazaar customers
– copies of customers past policy documents
– copies of customers birth certificate
– copies of customers vehicle registration certificate
Threat To Defence Personnel’s Data Expose
Specifically for Indian defense personnels, the data was being exposed but along with that data of a “Defense questioner” that Policybazaar takes from people working in Indian defense forces.
These vulnerabilities also exposed questionnaire replies by defense personnels who bought policy from Policybazaar.
The data includes data like but not limited to — this is additional information with the above mentioned data:
– Details of which specific branch of Indian defense forces someone is in like Indian Army, Navy, Air force, and even specifics if someone is in one of the Indian special forces like SPG, Black Cat commando, CoBRA, Anti Terrorist Squad.
– Current rank and designation in that defense force
– Current location of posting (which is very confidential many times)
– Details if someone is engaged in any hazardous activities, e.g. aviation, diving, parachuting, bomb disposal or special service groups, and length of service in those roles.
– Specific nature of role
– Details if someone in Indian defense is currently serving in or is under orders to proceed to any troubled area, or around border areas of India
– Details if someone handles weapons or explosives. If yes, details of such weapons and explosives.
“Such data is very confidential and sensitive to the Indian national security, especially when combined with defense personnel’s personal data which was also being exposed by Policybazaar, an Indian insurance aggregator funded by a Chinese company,” the CyberX9 report stated.
“This is a goldmine for any adversary nation of India,” it remarked.
Indian Authorities Informed
CyberX9 said that the vulnerabilities in Policybazaar’s system potentially exposed data of 56.4 million people who have transacted on the platform.
“At the end of our analysis, we came to the conclusion that there is high potential that Policybazaar could be having these vulnerabilities as intentional backdoor vulnerabilities in order to potentially allow access to the Chinese government to sensitive data of Indian nationals and particularly defense personnel,” CyberX9 claimed.
After informing Policybazaar about the vulnerabilities on July 18, CyberX9 reported the incident to cyber security watchdog CERT-IN on July 24.
“CERT-In confirmed to us on July 25 that Policybazaar has now admitted and fixed the reported vulnerabilities and asked us to retest if the vulnerabilities were fixed,” the report stated.
CyberX9 said it also submitted the report to National Cyber Security Coordinator Rajesh Pant who promised to initiate action against Policybazaar.
“Rajesh Pant promptly reverted back to us after going through the information we shared, they thanked us for the information and informed us that they shall initiate action against Policybazaar,” the report added.
Follow The420.in on