New Delhi: The personal data of up to 10,000 customers of Aegon Life Insurance customers may have been exposed publicly due to a security vulnerability on the company’s website.
The data that was exposed included everything from basic demographic information – such as name, age, gender, mobile phone numbers – to more qualified details in some instances like annual income as well as specific health policy problems.
Aegon Life Insurance, India is a joint venture between the Netherlands-based Aegon NV and Bennett, Coleman and Co. Ltd (BCCL), the Indian publisher of The Times of India newspaper.
The vulnerability in question was simple: when clients of Aegon Life logged onto the company’s website to communicate their grievances to the insurer through various support channels, some of the data that was provided in the process wasn’t adequately secured.
Indian web developer Renie Ravin, who also co-founded the independent blogging platform ‘IndiBlogger’, reported the vulnerability to the company in mid-July 2019, following which the leak was plugged.
It is unclear at this point if any customer information was taken or misused.
The support channels through which the data was leaked included the company contact form for general inquiries as well as existing customers. It also may have included various online tools that helped Aegon Life customers calculate their liability and premiums such as the ‘Education Plan Calculator’, the ‘Retirement Planner’ and the ‘Human Life Value Calculator’ – all of which asked for personally identifiable information.
The Wire has confirmed that the data that was leaked through Aegon Life’s website – an example of which is shown below – was authentic.
In response to a questionnaire sent by The Wire earlier this week, the life insurance company admitted it was “currently investigating a situation wherein some customer information was exposed through our company website”.
“At Aegon Life, data security and privacy are of utmost importance. We believe in being transparent and hence, our customers are informed of this situation. We have also put in place immediate measures to curtail any similar incidents from occurring in the future,” the company said in a statement.
The company also started informing customers of the data leak this week.
On Friday afternoon, it put out an official statement that added that the incident was “not the result of a hack or malicious activity” and that it did not have “evidence that customer information was taken”.