Cyber Crime
Data of Policyholders of Leading Insurance Companies like Cigna & Exide In Cyber Criminals’ Hands: UP Cyber Police Arrest 3 From Agra
AGRA: What if you get a call from an insurance agent and he has all your personal and investment-related details, you would believe him, right? Beware! The person calling you could be a scammer. A large-scale business of duping insurance holders of different companies is running across India which is fuelled by leaked data of insurance holders.
The police investigation shows policy-related data of thousands of insurance holders of different companies are being sold in the black market, which is now being used by fraudsters’ to manipulate and cheat insurance holders. Ironically, despite the leak of customers’ data, no insurance companies have come forward to take preventive measures.
The Fraud
Mathura resident Lalit Pathak received a call from someone from his insurance company. As he had all his personal and financial details, Pathak started believing him. The caller said that Pathak had a policy of Rs 12.47 lakh which has lapsed and to renew he will have to pay some money. Pathak fell for this trap and lost Rs 43,000, which the caller demanded for different purposes like documentation, verification etc.
After receiving the complaint cybercrime unit of Uttar Pradesh started the investigation and found the web of networks spread across several insurance companies. After a detailed investigation, three people were arrested who were identified as Sumit Kashyap, Ramesh Prasad Giri and Mohd Akhib.
Modus-Operandi
Police in their investigation has found that all the three accused were earlier working with an insurance and share trading company –IIFL. It was while working here they realise the potential of customers’ data and decided to cheat them.
They copied all the data of customers of the different insurance companies and started calling them. As the gang had all the financial details they exactly knew which policy has lapsed, which is going to mature and how much return the client is going to get. Based on their status the gang scripted their fake calls they offered a refund on lapse account, hassle-free renewal and even lower policy charges. Most of the customers used to believe the callers and later discovered that they were cheated.
The Loopholes
But what has left the investigators amazed is how easily it has become to start a scam shop. Leaked personal data is easily available against money and the insurance companies are least concerned about data protection.
Uttar Pradesh, Cyber Crime, Superintendent of Police, Triveni Singh told The420.in this entire fraud has exposed how sensitive data is carelessly stored. This is the responsibility of the insurance company and its associates to maintain complete protection after all customers’ have paid huge hard-earned money.
Singh highlighted that all insurers regardless of size, complexity, or lines of business, collect, store, and share with various third-parties (e.g., service providers, reinsurers etc.), substantial amounts of personal and confidential policyholder information, including in some instances sensitive health-related information. Insurance repositories, call centres, Common Service Centers etc also have access to policyholders’ data. While Information sharing is essential for conducting the business operations, it is essential to ensure that adequate systems and procedures are in place for ensuring that there is no leakage of information and information is shared only on a need-to-know basis.
The Insurance Regulatory and Development Authority of India (IRDAI) has issued guidelines regarding insurers are responsible for putting in place adequate measures to ensure that cybersecurity issues are addressed. Insurers are also mandated to appoint a chief information security officer, formulate a cyber crisis management plan and conduct audits.
IRDA has mandated all insurance company to implement internal monitoring controls for data processing systems. The company must have board-approved annual security review of the controls, systems, procedures and safeguards by a CERT-IN empanelled security auditor. Strict compliance to ISO/IEC 27001 – Information Security Management System and reporting of any adverse findings that impact policyholders with the IRDA.
But looking at the scale at which such crimes are happening it seems insurance companies are not doing enough. Earlier in September 2020, Delhi Police’s Economic Offences Wing busted an insurance fraud racket for duping a senior citizen of Rs 6 crore. EIght people involved in the racket have been arrested, including a minor. Similarly in October Delhi police arrested three scammers for duping 1,000 people for years in Delhi.
Such case of fraud has been reported across India.
Time For Action
After the recent crackdown by Uttar Pradesh Cyber Crime Unit, Triveni Singh said all the insurance company whose data is found will be held responsible and will be asked to furnish the process from procurement to policy booking for your customers. “Insurance company will show that how are the sales leads generated and managed for the customer call. The officers will be examined and the company will have to tell how and where is the customer data stored. As data is also shared with other partners and centres the company will have to justify security measures they have taken at the regional, zonal or central level,” Singh said.
Data recovered by UP police involves data of following insurance companies: Cigna, Exide Life Insurance, R-Nippon, Aegon Life insurance, IndiaFirst Life Insurance etc.
Police have so far found five fake bank accounts operated by the gang which has done transactions in crores. Cops are also trying to find out other bank accounts operated by them and number of people cheated by the gang.