Showing posts from August, 2019

Aegon Life Customer Data Leak

Since it's that tax filing time of the year, I went to the Aegon Life website the other day to get my Health Insurance Tax certificate. Looked around, didn't find anything, so I user the search option on the site. Among a bunch of results with general information about Tax savings, I clicked on what I thought at first was a question posted on a forum / knowledge base. It turned out to be a message sent in private to Aegon Life via their contact form instead. 🤦‍♂️

To verify that this wasn't outdated data, or data from a sandbox server, I used the contact form myself and used the search option to find what I had just submitted:

It looked like a badly configured Drupal installation was the cause of the issue. I spent some time trying different searches on the search form, and I discovered that every single record attached to a form on their website was available, in public, for anyone to find. This included the contact form for general inquiries as well as existing customer…