NEW DELHI (AP) — Last month, a small cybersecurity firm told a major Indian online insurance brokerage that it had found critical vulnerabilities in the company’s Internet-facing network that could expose sensitive personal and financial data of at least 11 million customers to malicious hackers.
The little-known firm followed the standard playbook for ethical hackers, giving Policybazaar, the insurance aggregator, time to correct the mistakes and inform the authorities. It did not seek prior authorization to test Policybazaar’s system, but said it considered itself eligible, in part because it had employees who were customers.
A week later, on July 24, Policybazaar, which is listed and counts Chinese conglomerate Tencent among its investors, notified India’s stock exchanges that it had been breached, but “no significant customer data was exposed.”
It said a little more.
The startup, CyberX9, is not quiet. Its CEO wants Indians to know that the “several extremely critical” vulnerabilities were so easy to find that it was almost as if Policybazaar was intentionally leaving itself open to criminal or nation-state intrusion.
“It would be extremely easy for anyone with good data/IT knowledge to discover, exploit and leak all this data,” CyberX9 director Himanshu Pathak said.
The data includes not only names, home and email addresses, dates of birth and phone numbers, but what people need to show to get insurance: digital copies of identification, health and financial documents, including tax returns, payslips, bank statements, driver’s licenses and birth certificates.
Policybazaar, a broker for multiple carriers and types of insurance that claims 90% of India’s online insurance aggregate market, collected the data through user uploads and self-generated records. It included questionnaires filled out by members of the Indian armed forces – the company offers various insurance policies tailored to them – detailing their rank, branch of service and whether they work in danger zones and handle weapons and explosives.
The Associated Press reached three people listed in sample data including copies of sensitive personal documents provided by CyberX9, a soldier stationed in Ladakh, a region at loggerheads with Pakistan and China. All three confirmed that they were Policybazaar customers. All said they had not been made aware of any security incident.
According to documents on the website of Policybazaar’s parent company, PB Fintech Ltd., 56 million people were registered on the site at the end of December, including 11 million “transaction customers” who bought 25 million policies.
Policybazaar would not respond to questions from the AP, other than to say it had fixed the identified vulnerabilities and referred the incident to outside counsel for a forensic audit.
It did not confirm that CyberX9 had notified it of the vulnerabilities, describe how the IT system was “subject to illegal and authorized access” or explain what customer data was exposed. Policybazaar said the flaws were identified on July 19, the day after CyberX9 said it first notified the brokerage.
Pathak provided the AP with copies of his email exchanges with India’s Computer Emergency Response Team (CERT-IN), which said on July 25 that Policybazaar reported that the vulnerabilities had been fixed, and with a national cybersecurity official, Lt. Gen. Rajesh Pant, who told Pathak in an email -mail 26 July: “Thank you for informing. Will initiate measures against Policy Bazaar.”
Neither CERT-IN nor Pant responded to emails from AP seeking comment.
CyberX9 said it decided to investigate Policybazaar’s network for deficiencies after learning during its November IPO how much sensitive and confidential data the company manages.
It said it found five vulnerabilities and was able to fetch user data without an authorization check – and there was no limit to how many times an unauthorized user could do such a fetch.
The researchers tested the vulnerabilities “by fully automating them using very simple scripts, all without facing any viable constraints from your systems,” CyberX9 told Policybazaar in the technical report it sent the company last month.
“Given the simplicity and ease of discovery and exploitation of these vulnerabilities, Policybazaar has clearly left the door open for threat actors to invade the lives of its users.”
It was unclear whether CyberX9 will face any legal consequences for probing Policybazaar’s system.
The incident highlights the gray area in which many security researchers operate globally, including in India. Bona fide security researchers intent on preventing malicious hacks and ransomware attacks must tread carefully in India as cybercrime law does not distinguish between malice and ethics when it comes to identifying and exploiting vulnerabilities in software code.
“There is ambiguity in the law — it says you can’t test without permission and only after that you can investigate,” said Apar Gupta, executive director of the nonprofit Internet Freedom Foundation.
CERT-IN issued a responsible disclosure policy in September that offers guidelines for hackers in good faith, he said, but it includes a disclaimer that nods to the ambiguity. US law is also ambiguous, although the US Department of Justice announced a new policy in May instructing that “good faith security research shall not be charged.”
Sandeep Kamble, founder of Indian firm SecureLayer7, said the judicial system is “completely immature” in its handling of such cases, as judges generally lack technical acumen. That means the system favors the brash and bold, who also have good lawyers.
Kamble and Gupta said it appears the CyberX9 researchers, as Policybazaar customers, had good reason to probe the company’s digital edifice for easily exploited flaws as long as they did so responsibly.
In its report to Policybazaar, CyberX9 said it would be happy to receive a so-called “bug bounty” reward – which some companies typically pay researchers to identify bugs in good faith – “although it is not required.”
Pathak said no such reward was paid.
India, with 800 million internet users, also does not have a data protection law, although in 2017 the country’s top court deemed privacy a fundamental right and ordered the government to draft legislation. In parliament, the bill was delayed by criticism over some provisions, including one that gave the government access to personal data in the name of “sovereignty”.
Last week, parliament withdrew the legislation and said it would restart the process.
Digital experts say a data protection law is needed in India where financial fraud and data leaks are rampant. The absence has worsened privacy concerns in the country, where previous incidents have seen both private companies and the authorities leak people’s data.
Bajak reported from Boston.