Aegon Life Customer Data Leak

Since it's that tax filing time of the year, I went to the Aegon Life website the other day to get my Health Insurance Tax certificate. Looked around, didn't find anything, so I user the search option on the site. Among a bunch of results with general information about Tax savings, I clicked on what I thought at first was a question posted on a forum / knowledge base. It turned out to be a message sent in private to Aegon Life via their contact form instead. 🤦‍♂️



To verify that this wasn't outdated data, or data from a sandbox server, I used the contact form myself and used the search option to find what I had just submitted:


It looked like a badly configured Drupal installation was the cause of the issue. I spent some time trying different searches on the search form, and I discovered that every single record attached to a form on their website was available, in public, for anyone to find. This included the contact form for general inquiries as well as existing customers; the Education Plan Calculator Submissions; the retirement planner; the income tax calculator; and the Human Life Value Calculator. What's important to note here is that every single form asks for PII (Personally Identifiable Information), including -
  • Name
  • Email 
  • Mobile
  • Policy Number
  • Annual Income
  • Age
  • Gender
  • Assets
  • Tax Deductions
Apart from the above, hundreds of customers have divulged personal information including medical records and claims data, assuming that this will remain between themselves and Aegon. So if you have ever used one of these in the past - your data was compromised and anyone on the internet could have found it.

I reached out to Aegon Life via Twitter but got not response, so I emailed Aegon global asking if they had a protocol in place, like a bug bounty program. To their credit, they immediately emailed me back, and after I sent them this info, they got the leak fixed in under 48 hours, and sent the following email to their customers a week later, after the incident was reported by TheWire.

Dear Customer
We are currently investigating a situation where some information for few of our customers was exposed through our company website.
The issue was immediately rectified upon detection and all related customer information is secure. 
We assure you that your data security and privacy is of utmost importance to us.
As per our initial analysis, we believe it is unlikely that you are affected with this.
This communication is being sent to you as we believe in being transparent.  
Fal Ghancha
Chief Information Security Officer
Aegon Life Insurance


Comments

Popular posts from this blog

All The Reasons NOT to Buy a Sony TV

Why Sony India is not the same as Sony Worldwide

The truth about updating the address on your Aadhaar, online or offline