Everything after October 18 is a back-and-forth between CERT-In and me trying to determine if there would be a bug bounty reward. TTIBI never responded to the question, so I decided to close the case on December 22 and CERT-In sent me a nice appreciation letter.
If a "leading Insurance Broker across India" can't afford to hire competent developers the least they can do is throw a couple bucks at someone who took the time to identify the multiple severe problems that jeopardized their customers and who notified them responsibly.
The fact that they didn't and still haven't reset the password of the compromised email account blows my mind. Why would I ever trust a company that acts like this to do anything right? It seems like Toyota Tsusho Insurance Broker India should be avoided like the plague.
I've seen similar levels of incompetence first hand. This isn't someone actively ignoring important security warnings. This is someone not understanding what you are talking about. This is someone who, at a fundamental level, has no grasp of the landscape they are operating in or the challenges they are up against. This is someone who wants you to go away because the jargon you're talking doesn't make any sense to them or their team.
"Please stop sending me these confusing emails. I have important work to do."
The only way to fix this is a "changing of the guard" at the organizational level. The IT boss, and everything he has ever touched, has to go.
The Peter Principle…people get promoted into incompetence.
We put peter there.
He's doing the job we put him there to do.
The Peter Principle says people get promoted until they can’t do the job. If you aren’t being promoted to a higher position people wonder about you…
I see your point, did you know it’s a book?
Dang
Harvard Business Review: https://hbr.org/2014/12/overcoming-the-peter-principle
Sounds like exactly the kind of someone you wouldn't want to have to trust with your personal information let alone trust to manage your life/property/business/liability insurance.
Unfortunately the people in charge of hiring IT Directors often aren't qualified to hire IT Directors.
Don't stop there.
Most likely there are few alternatives
which likely led to this issue in the first place
Unlike other scenarios!
You mean most scenarios?
That’s a load-bearing password!