India's largest insurer, Life Insurance Corporation (LIC), recently addressed a major security vulnerability that allowed unauthorized access to millions of confidential insurance application forms through its online portal.
The flaw, discovered by 25-year-old engineer Ankit Kumar, enabled anyone to download complete insurance form details by simply modifying document IDs in URLs, without requiring any authentication or One-Time Password (OTP).
"Anyone can exploit this even without any hacking training," Kumar told MediaNama. The forms contained highly sensitive information including:
- Personal identifiers like mobile numbers and email addresses
- Family details including parents' names
- Financial information including bank accounts
- Medical records and family health history
- PAN card details
- Complete residential addresses
- Employment and income details
The vulnerability existed in LIC's eSales platform where insurance form PDFs were stored with sequential document IDs. By incrementing these IDs, all historical documents could be accessed without any security checks.
Kumar reported the issue through multiple channels including LIC's legal and web teams in October 2024. The flaw was finally patched seven days later by implementing UUID4 identifiers instead of sequential numbers.
However, security experts note that while UUID4 makes unauthorized access harder, the fix still lacks basic safeguards like OTP validation that competitors like SBI Insurance have implemented.
The incident raises serious concerns about LIC's cybersecurity practices, especially given that "almost every family in India has an LIC policy," as Kumar noted. It also appears to violate multiple regulatory requirements including IRDAI's 2023 cybersecurity guidelines and CERT-In's six-hour incident reporting mandate.
LIC's privacy policy claims to treat customer information as confidential, but the company has not clarified its data deletion processes for users who don't proceed with policies. This may conflict with rights granted under India's upcoming Digital Personal Data Protection Act.
MediaNama has reached out to LIC, IRDAI, CERT-In and CSIRT-Fin for comments. Responses are awaited.