User data from online grocery platform BigBasket is for sale in an online cybercrime market, according to Atlanta-based cyber intelligence firm Cyble.
Part of a database containing the personal information of close to 20 million users was available with a price tag of 3 million rupees ($40,000), Cyble said on November 7.
The data comprised names, email IDs, password hashes, PINs, mobile numbers, addresses, dates of birth, locations, and IP addresses. Cyble said it found the data on 30 October, and after comparing it with BigBasket users’ information to validate it, reported the apparent breach to BigBasket on November 1.
A BigBasket representative with knowledge of the incident declined to comment.
Meanwhile, BigBasket users on Twitter have called out the company for not revealing the extent of the breach to its customers and what they ought to do if they fear their accounts were compromised.
BigBasket isn’t the only Indian e-commerce company to suffer in this way in recent months. On 11 July, delivery service player Dunzo disclosed that it had suffered a data breach that leaked phone numbers and email addresses of its users. Dunzo CTO Mukund Jha said no payment information was compromised.
Commenting on the BigBasket incident, cyber and privacy law expert Prashant Mali said it’s high time the government made it compulsory for all cyber-space companies to spend at least 15% of their annual budget on cybersecurity. The lack of adequate cybersecurity measures, he believes, is because cost-cutting has crept in. When organizations begin to cut corners in cybersecurity, he explained, is when incidents like this happen and put an individual’s right to privacy at risk.
“The government should make e-commerce companies compulsorily have their own private cloud and mandatory system audits ought to be carried out by CERT-empanelled auditors,” he said. CERT-In, the Indian Computer Emergency Response Team, is the nodal agency under the Ministry of Electronics and Information Technology assigned to deal with cybersecurity threats.
What makes the incident worrisome?
Jonathan Miles, senior threat intelligence analyst at cloud security provider Mimecast, said that the BigBasket incident is particularly worrying because it appears that customers’ payment details were available to hackers and these details can be used for a range of nefarious purposes. “Simply put, these details can be sold for financial gain on the dark web, with the prospective buyer able to use the data to impersonate a victim or lead them to a different domain,” he explained.
Furthermore, with the festive season around the corner, there is likely to be a significant increase in buyers using online retail sites owing to restrictions brought about by the COVID-19 outbreak.
“With more people using online retailers and sharing personal and financial data with them, the aperture for spoofed and malicious sites increases as entities seek to exploit wider vulnerabilities,” Miles said. Mimecast found that the retail and wholesale sector was the most targeted throughout October.
The risk, he explained, is not confined to individuals alone – recent Mimecast research found that 35% of workers used their corporate device for online shopping. Emphasizing the need for organizations to promote better cyber-hygiene, he said: “Businesses need to be wary of their employees shopping online using their professional device and putting company data at risk.”
In addition to user awareness and corporate vigilance, cyber law expert Mali is of the opinion that the soon-to-be-implemented Personal Data Protection Bill (PDPB) will bring in a sense of responsibility and bring attention to the legal risk in case of non-compliance. “Non-compliance to PDP could mean a jail term for senior executives and crores of rupees in fine. The bill is expected to be passed in the winter session of the parliament and companies ought to start planning their compliance strategy starting today,” he advised.
Copyright © 2020 IDG Communications, Inc.
