Alarming holes found in Insurance Comparison sites data security
An anonymous source has exposed to The Register a significant weakness in Google’s motor insurance aggregator Google Compare leaving thousands of people at risk of ID theft.
Comprehensive personal data including names, addresses, phone number and job details have been left at risk through a piece of third-party software.
The SSP system appears to work as a hub for quote data from brokers and aggregators alarmingly a basic change made to a document gives access to other peoples proposal form. A process which The Register point out could easily be automated to exploit this weakness and harvest personal data.
The source claims “quotes from near enough all car insurance comparison sites in the UK go through this system, so you will find all Google Compare’s customers in there, and other comparison sites’ customers also.” However they go on to say that “Some other aggregators do a server-side redirect” whilst “Other aggregators do not send the real contact details. It’s Google that chooses to send to this system.”
On testing the vulnerability, the Information Commissioner’s Office (ICO) and Google were informed of the weakness by The Register. Google announced via a spokesman that they had suspended insurers who used the SSP from Google Compare eliminating the data threat.
This threat to Individuals’ data highlights to the user the risk of faithfully divulging their private and personal data, and to the party responsible for the handling of said private data of the user.
When did you last enter your personal data onto a website? Get Information Security aware