Insurance comparison service Hippo has acknowledged concerns raised by the MyBroadband community. This comes after a reader pointed out that it was possible to use the Hippo website as a free identity verification service.
Among the concerns was that visitors are able to simply type a South African ID number into Hippo’s “Get a quote” screen and immediately be shown someone’s personally-identifying information.
A lot of the data is censored, but you are able to see someone’s name, marital status, gender, and date of birth.
When you submit an ID number to Hippo’s “Get a quote” system and don’t actually go through with requesting a quote, the company will still call the number they have on file for that person.
Hippo said that this is to determine whether they require assistance with completing a quote, or if they had any issues with the online quote system.
When you click on a field to edit the information Hippo has on you, the information is not simply uncensored. The field is completely blanked.
Testing Hippo’s “Get a quote” system
However, fields do not remain blank if you simply click edit on all of them and then back out of the quote.
We tested this by looking up ID numbers we had permission to query, then clicking edit on all the fields we were able to, and immediately leaving the website.
When we went back to Hippo’s website within a few minutes and re-entered the ID number, the fields we blanked still came back empty.
We checked again after several hours and found that the fields had all been repopulated with the information that was there before.
Later tests showed that Hippo stopped allowing the fields to be blanked and saved. It repopulated the blanked fields immediately. Even attempting to fill the fields with new information did not overwrite the data Hippo had on file.
Filling in deliberately false information and then completing the “Get a quote” process is not advised, as Hippo will then call the number you provided to verify the information.
Hippo said that it has its own call centre for this purpose and does not use a third-party call centre.
The problem of ID numbers in data leaks
“Thank you for bringing this to our attention. We always value any feedback to improve our customer experience, especially when it comes to our online activities due to the associated risks,” Hippo said in response to questions from MyBroadband.
“Some of the feedback from the readers on your forum has also resulted in us now looking at improving some of the processes, in terms of customer experience, whilst still ensuring our cybersecurity measures are updated.”
Hippo said that it is aware that there have previously been data leaks involving people’s ID numbers. One leak in 2017 resulted in the ID numbers of just about every South African being exposed.
“We have a dedicated web team to ensure that we keep our privacy and security updated to minimise any risk,” Hippo said.
“Incidents such as the Capital One breach in the States and the recent ransomware attack on the City of Joburg has heightened our security measures and therefore, besides the measures we have put in place above, we continue to add more to our security layer.”
Hippo went on to argue that if the same – or even more – information is already leaked through other sources, visiting the Hippo website does not result in a further leak of this information or exposure to more information than what is already leaked.
Where Hippo gets its data from
One reader reported that the information Hippo had on file appeared to have the exact same errors as they had been struggling to fix at FNB.
MyBroadband asked FNB for comment, and the bank requested the reader’s information to investigate.
FNB said that it does not share customer data with Hippo, its parent company, Telesure Investment Holdings, or any of its subsidiaries.
“FNB complies with all requirements for the lawful processing of personal information,” said Fernando Moreira, FNB Chief Data Protection Officer.
“In accordance with applicable laws, we adopt a multi-layered approach to protect personal information.”
Hippo told MyBroadband that it gets people’s details directly from the credit bureau.
Customers would have needed to give permission to the credit bureaus to use the information, Hippo said.
Another concern is raised by the terms and conditions on the “Get a quote” page on Hippo website. They state:
By allowing us to use your ID number, you also consent to an insurer using it to check your credit rating and provide more accurate insurance quotes. This will not negatively affect your credit rating since this is not a credit application.
The issue is that anyone could give consent to Hippo to run a credit check on any ID number, even though the person entering the ID number may have no authority to do so.
“The Hippo quote system was designed so that we can provide website users with a quicker and easier online quotation process,” Hippo said.
“Keep in mind that this credit check is only done at the end of the quote process, once users have verified their information and just before they select ‘get quotes’.”
Hippo said that the credit check is done at that point to ensure that users get more accurate quotes.
“Hippo is not unique in requesting ID numbers”
Hippo said that it is not unique in South Africa for requesting ID numbers to provide a service such as getting insurance quotes.
“There are many service providers / insurers / financial providers who require this information to provide a requested service,” Hippo said.
MyBroadband did a quick investigation to test Hippo’s claim. We did not find any other comparison site, bank, or insurer that requests only an ID number and then presents you with data pulled from a credit bureau for that ID number.
We checked the following sites: Get-insured, iHound, Compare Guru, Better Compare, OUTsurance, King Price, MiWay, Santam, Discovery and Discovery Bank, FNB, Absa, Standard Bank, Nedbank, Capitec, and Tyme Bank.
How Hippo protects customer data
Hippo said that it is well aware of the potential privacy risks when dealing with people’s private information online. It provided the following list of cybersecurity measures that it has in place:
- Our hosting partner and it’s internet exchange team actively monitor our incoming traffic together with our network team to alert us of any possible data breach or DDoS attempts.
- As part of our network security protection, we have boundary firewall protection in place to protect us from and potential cyber-attacks that include data breaches/SQL injections.
- All customer data and digital assets are protected internally by enterprise and privileged identity and access management.
- All vulnerabilities and remediation on any digital assets are managed through our enterprise vulnerability management technologies, analysis and forum. This ensures that operating system configurations and firmware are constantly up to date.
- All communication from and to our platforms, whether customers or partners, are encrypted and secured at transport layer.
- We have strict security requirements as a prerequisite with any partner integration.