Policybazaar exposes millions of Indian Customers’ data

Research firm CyberX9 has claimed that Chinese Investor-Backed Policybazaar has allegedly exposed sensitive and confidential personal, health, and financial data of around 56.4 million of its customers including defense personnels and potentially compromises national security.

A Policybazaar spokesperson said the identified vulnerabilities have been duly fixed as confirmed by an external advisor. “A thorough forensic audit of the incident has been initiated with external advisors. The incident was covered by the media. We have nothing further to add,” the spokesperson said.

The information exposed includes customers’ photo, full name, date of birth, complete residential address, email address, mobile number, credit report, PAN number, policy details including nominee details, family members’ policies details, bank account statements, income tax returns, Passport, immigration visa, records of country entry and exit, Aadhaar card (both sides), driving license, health records, payslips.

For Indian defense personnels, the data was being exposed along with that data of a “Defense questioner” that Policybazaar takes from people working in Indian defense forces, including the questionnaire replies by defense personnels who bought policy from Policybazaar.

Apart from the above mentioned data, details of which specific branch of Indian defense forces someone is in like Indian Army, Navy, Air force, and even specifics if someone is in one of the Indian special forces like SPG, Black Cat commando, CoBRA, Anti Terrorist Squad, current rank and designation in that defense force, current location of posting, details if someone is engaged in any hazardous activities, e.g. aviation, diving, parachuting, bomb disposal or special service groups, and length of service in those roles, details if someone in Indian defense is currently serving in or is under orders to proceed to any troubled area, or around border areas of India, details of someone handling weapons or explosives were also leaked.

After informing Policybazaar about the vulnerabilities, CyberX9 reported the incident to cyber security watchdog CERT-In. National security agencies have initiated action against Policybazaar.