No Significant Customer Data Exposure: PolicybazaarAttackers Gained Unauthorized Access Through Fixed Vulnerability
An Indian consumer financial company says a cybersecurity incident involving unauthorized access to its systems did not result in a significant data breach.
PB Fintech, which distributes insurance policies through Policybazaar Insurance Brokers, reported the findings in a regulatory filing to the country's stock exchanges, National Stock Exchange and BSE Limited, on Sunday. It says it has fixed the issues. The firm claims to serve more than 9 million customers.
The company discovered the vulnerabilities on July 19. An initial review found "no significant customer data exposed," the company says, adding that it fixed the security hole.
The vulnerability "was brought to our attention last week. There was a roundabout way to get some data and the gap has been plugged by our team," a Policybazaar spokesperson tells information Security Media Group.*
The vulnerability does not appear to have impacted business, but the company informed the stock exchanges of the bug as a "precautionary measure," the spokesperson says.
"Policybazaar has reached out to the appropriate authorities and is taking due recourse as per law," the filing says.
The insurance product marketplace's shares on Monday fell 4% from its Friday closing value of 520 rupees.
6-Hour Reporting Mandate
On July 1, the Securities and Exchange Board of India introduced a six-hour cyber incident reporting mandate for Indian stock brokers and trading houses that went into effect immediately (see: Indian Stock Exchanges Have 6 Hours to Report Cyber Incident).
The new guidance extends to "cyberattacks, threats and breaches" and requires additional reporting to stock exchanges and the Indian Computer Emergency Response Team. Stockbrokers or depository participants must also report the incidents to the National Critical Information Infrastructure Protection Center if their systems are designated "protected" by the organization.
In Policybazaar's case, the regulatory filing says that the company detected the vulnerabilities on July 19. The stock exchanges were notified five days later on July 24.
*July 26, 2022 13:56 UTC: This story was updated to include Policybazaar's statement on the ongoing probe and the business impact of the vulnerability.