A glaring security Application Programming Interface (API) lapse in the online portal of the Life Insurance Corporation (LIC) of India left the sensitive personal data of millions of policyholders vulnerable to exploitation, raising concerns about the robustness of cybersecurity measures in critical public institutions.
Ankit Kumar, a 25-year-old engineer with expertise in API vulnerabilities, identified the breach. This discovery, first reported by MediaNama, revealed how a flawed API allowed unauthorised access to highly sensitive information. Kumar reported the issue via the PG Portal on October 16, 2024, prompting LIC to address the vulnerability within a week.
Despite the fix, questions remain about the adequacy of the measures implemented.
LIC’s document management system was at the heart of the vulnerability, which stored policyholder information in a publicly accessible URL. By altering a sequential document ID embedded in the URL, anyone could download personal and financial information without authentication. This oversight, described as a “broken authentication,” exposed critical details.
These include:
- Personal identifiers include names, birth details, educational details and residential addresses.
- Financial data include PAN numbers, current occupation and employer details, bank account details, and income level data.
- Health records, including medical histories and lifestyle details.
- Policy information, including existing coverage and nominee details.
When exposed, Kumar highlighted that such data could lead to identity theft, financial fraud, and privacy violations.
LIC’s response involved replacing sequential document IDs with UUID4 (Universally Unique Identifier), a more complex system designed to enhance security. While this approach makes it harder to predict document IDs, experts note it does not eliminate risks. A robust solution would also require implementing multifactor authentication controls — measures currently absent from LIC’s platform.
The breach highlights LIC’s failure to meet basic security protocols and raises questions about compliance with regulatory frameworks. Under the Security and Exchange Board of India’s (SEBI) Listing Obligations and Disclosure Requirements (LODR) Regulations, 2023, listed entities must report cybersecurity incidents to CERT-In within six hours of noticing such incidents.
It remains unclear whether LIC fulfilled these obligations.
India’s Digital Personal Data Protection Act (DPDP) also emphasises consumer rights to data withdrawal and deletion. LIC’s privacy policy, however, appears to lack provisions for user-initiated data deletion, underscoring a gap between regulatory expectations and operational practices.
Kumar’s attempts to report the issue faced multiple hurdles. LIC’s internal systems were slow and disjointed, with initial responses referring him to marketing teams rather than cybersecurity experts. He received acknowledgement of the issue after escalating the matter to regulatory bodies, such as CERT-In and CERT-Fin.
In the News: Massive phishing campaign targets European industries affecting 20,000 users