Mass Extraction of Home-Insurance Customer Records Including Card Data and Bank Details

The Vulnerability

The retrieve-token endpoint for in-flight quotes had a query flag that skipped the date-of-birth and postcode check inside the request body. Once that token was issued, the downstream home-insurance retrieve endpoint accepted it and returned the full home dossier, including the saved-payment object, to an anonymous caller holding only a bootstrap bearer.

Quote numbers follow a short, predictable pattern with sequential issuance, so the keyspace is fully enumerable. The same chain works across multiple sibling brands.

The Attack

Mint and retrieve

One unauthenticated call returned a bearer token. A second call to the retrieve-token endpoint, with the skip-verification flag and only a candidate quote number, returned a per-quote retrieval token whenever the quote existed.

Fetch the home dossier

A single call to the home-insurance retrieve endpoint with that token returned the full home record. The fields exposed included:

• Identity: full name, date of birth, residential address (the insured property), title, gender.
• Contact: mobile, email.
• Financial position: building sum insured, contents sum insured, mortgagee bank in plain text (named major Australian banks observed across the sample), under-mortgage flag, annual premium.
• Saved card data: cardholder name, card type, first digit and last four of the card number, full expiry date, plus the stored payment-instrument token used to charge the card.
• Saved direct-debit data: account-holder name, full Australian bank-state-branch number (unmasked), last four digits of the account number.
• Property and security posture: building type, year built, wall and roof construction, alarm configuration (fitted, monitored, sirens, strobe), occupancy status, landlord rent-per-week.

Sweep at scale

A 215-quote validation sweep over a small contiguous range returned 26 home records totalling more than ten million in building sums insured, 12 plain-text mortgagee bank names, and three records with populated saved-payment data (two with card details plus the stored payment token, one with direct-debit bank-state-branch and account-holder name). The sweep ran in roughly three minutes from a single source with zero throttling and zero detection.

The Impact

• Card-data exposure suitable as vishing material impersonating the card issuer: cardholder name, card type, last four, and full expiry, combined with date of birth, residential address, mortgagee bank, mobile, and email.
• Direct-debit fraud enablement. Account-holder name, full bank-state-branch, and account-number last four is the data set required to set up a direct debit in the customer's name.
• Identity-theft and bank-impersonation enablement. Full name, date of birth, residential address, and named mortgagee bank is the data set commonly used for phone-banking impersonation and SIM-swap setup in Australia.
• Targeted-burglary risk via disclosed residential addresses combined with contents-insured values and alarm posture.
• Volume and content well past the notifiable data breaches threshold, with likely card-industry scope review and prudential-regulator notification implications.

Remediation

• Always validate the date of birth and postcode in the request body on the retrieve-token endpoint, regardless of any query flag. The flag should be removed.
• The home-insurance retrieve endpoint should reject anonymously minted bearer tokens and require an authenticated customer session.
• Saved-payment data and direct-debit bank details should never be returned on any quote-retrieval surface. Strip those fields from non-authenticated response paths.
• Audit every other endpoint that accepts the stored payment-instrument token. Charge, save, refund, and change-payment endpoints must require re-authentication or step-up.
• Apply strict per-source rate limiting and anomaly alerting on the retrieve endpoint, keyed on distinct tokens per source per hour.
• Forensic review of access logs to identify the affected customer set, with notifications under the breach scheme and review under card-industry and prudential obligations.