Taking cognisance of the recent security breach at Policybazaar, Lok Sabha MP from Anandpur Sahib in Punjab Manish Tewari urged the Parliamentary Standing Committee on Finance to schedule a hearing on the cybersecurity status of online platforms.
He also urged Insurance Regulatory and Development Authority (IRDA) to investigate the matter.
In a tweet, Tewari said, “Exposure of vulnerabilities in @policybazaar‘s Internet facing network are serious urge @irdaindia to investigate matter. Request @jayantsinha Chairperson Parlimentary Standing Commitee of Finance to schedule a cyber security hearing of online platforms.”
Exposure of vulnerabilities in @policybazaar ‘s Internet facing network are serious urge @irdaindia to investigate matter. Request @jayantsinha Chairperson Parlimentary Standing Commitee of Finance to schedule a cyber security hearing of online platforms https://t.co/C6w6aTCdRK— Manish Tewari (@ManishTewari) August 11, 2022
On July 24, PB Fintech, the parent company of Policybazaar, in a notification to exchanges, said that their IT systems were breached on July 19. The company added that issues identified in its IT systems had been fixed since then and an audit had been initiated.
The announcement by Policybazaar came at a time when a number of platforms from payment gateways to broking have reported a spate of customer data breaches and frauds.
Earlier, on August 10, CyberX9, a cybersecurity company in their blog, provided more insights into the cybersecurity breach, which they claimed had affected around 56.4 million of its customers including defence personnel.
The firm said that they discovered and reported the breach to Policybazaar on July 18. They said that the vulnerabilities in the system that led to the attack “were extremely easy to discover and exploit by anyone with good computer knowledge”.
The cybersecurity company also alleged that the vulnerabilities that were exposed in the Policybazaar breach, were “possibly left intentionally by Policybazaar’.
“There have been instances worldwide of Chinese backed or Chinese companies having some intentional backdoor vulnerabilities in their services through which they can give access to their partner criminals in China or many times to the Chinese government,” it alleged.
In 2019, China’s Tencent holdings acquired a minority stake in Policybazaar.
A Policybazaar spokesperson said, “PB Fintech has made a formal statement on 24th July 2022 regarding the incident (attached) to the exchange. The identified vulnerabilities have been duly fixed as confirmed by an external advisor. A thorough forensic audit of the incident has been initiated with external advisors. The incident was covered by the media. We have nothing further to add.”
Data that Cyberx9 says was exposed
Cyberx9 said that the data that was exposed include customers' —
- Photo
- Full name
- Date of birth
- Complete residential address
- Email address
- Mobile number
- Credit report
- PAN number
- Policy details including nominee details
- Family members policies details
- Bank account statements
- Income tax returns
- Passport
- Immigration visa
- Records of country entry and exit
- Aadhaar card (both sides) and so on.
The company also claimed that the Policybazaar breach exposed details of defence personnel, which include specific details of where a defence personnel work such as Indian Army, Navy, Air force, and even specifics such as SPG, Black Cat commando, CoBRA, Anti Terrorist Squad, Policybazaar said.
