Vulnerabilities in online insurance broker Policybazaar’s system have led to the exposure of personal information of its clients’ lakhs, including defense personnel, a cybersecurity research firm claimed Wednesday.
CyberX9 said Aadhaar and PAN card data, as well as customer addresses and phone numbers were exposed due to the vulnerabilities and the issue was reported to Policybazaar on July 18.
On July 24, Policybazaar informed exchanges that it had noted the vulnerabilities on July 19 and that no significant customer data had been exposed.
When contacted on Wednesday, a spokesperson for Policybazaar referred to its filing with the exchanges on July 24 and said the vulnerabilities identified have been duly addressed, as confirmed by an outside advisor.
“A thorough forensic audit of the incident has been launched with external advisers. The incident has been picked up by the media. We have nothing further to add,” the spokesperson said in a statement.
The parent company of the online broker PB Fintech is listed on the stock exchange.
In its report, CyberX9 claimed that Policybazaar has exposed all confidential and sensitive personal information, including that of Aadhaar, PAN card and passport, of millions of customers.
It also claimed that vulnerabilities in Policybazaar’s system may have exposed data on 56.4 million people who transacted on the platform.
“Information exposed throughout the internet included, but is not limited to, client’s full name, date of birth, full residential address, email address, mobile number, policy details, including candidate details, copies of user’s bank statements , Income Tax Documents, Passport, Aadhaar Card, PAN Card, and so on,” it said.
In the case of the defense personnel, information such as the designation, the location of their posting and the activities they engaged in was made public, the report claimed.
After informing Policybazaar about the vulnerabilities on July 18, CyberX9 reported the incident to cybersecurity watchdog CERT-IN on July 24.
“CERT-In confirmed to us on July 25 that Policybazaar has now admitted and fixed the reported vulnerabilities and has asked us to retest to see if the vulnerabilities have been fixed,” the report said.
CyberX9 said it has also submitted the report to National Cyber Security Coordinator Rajesh Pant, who pledged to take action against Policybazaar.
“Rajesh Pant immediately returned to us after reviewing the information we shared, thanking us for the information and letting us know that they will take action against Policybazaar,” the report said.
An email inquiry sent to Pant regarding the matter went unanswered.
“At the end of our analysis, we concluded that there is a high probability that Policybazaar would have these vulnerabilities as deliberate backdoor vulnerabilities to potentially give the Chinese government access to sensitive data of Indian citizens and especially defense personnel.” CyberX9 claimed.
China-based Tencent Holdings is one of the investors in Policybazaar.
(Except for the headline, this story has not been edited by DailyExpertNews staff and has been published from a syndicated feed.)