By Online supermarket BigBasket landed in a soup recently when it accidentally put the data of over 2 crore users at stake. BigBasket and the likes of it became increasingly sought after during the lockdown imposed due to the coronavirus pandemic. More and more users resorted to BigBasket to get groceries and vegetables delivered at their doorstep but little did they know that their private data will be compromised on the app.
When you shop via any e-commerce platform including Amazon, Flipkart, or BigBasket and Grofers and make an online payment, you are required to fill up your card details. The details are then stored on the app to make your future transactions seamless. Along with debit and credit cards, users also enter their phone numbers, their delivery address. BigBasket is said to have comprised sensitive data of over 40 million users, as per US-based cybersecurity intelligence firm Cyble.
So here is what we know about the data breach so far
—BigBasket has acknowledged the breach and filed a police complaint against the hackers. It has however assured that the only data that could have been leaked were the phone numbers, addresses, and not credit or debit card details. “The privacy and confidentiality of our customers are our priority and we do not store any financial data, including credit card numbers, and are confident that this financial data is secure,” the company said in a statement.
“The only customer data we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information,” it added.
— Cyble, th cyber-security firm that reported the breach informed that it was first detected on October 31. “In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others,” Cyble noted in the blog post.
— Cyble had informed BigBasket about the data breach a day after it was detected on November 1. Following which the supermarket registered a complaint with the cyber cell and evaluating the breach.
More cases of data breach in India
Earlier in October, Hyderabad-based diagnostics center, Dr. Reddy’s laboratories had to shut all its plants following a data breach in its servers. The servers of Dr. Reddy’s were attacked days after it was granted approval to conduct late-stage clinical trials of the Russian Covid-19 vaccine, Sputnik V, in India. However, in the wake of the attack, the company had shut all its plants in India, Russia, the United States, the United Kingdom, and Brazil.
“In the wake of a detected cyber-attack, we have isolated all data center services to take required preventive actions. We are anticipating all services to be up within 24 hours and we do not foresee any major impact on our operations due to this incident,” Dr Reddy’s Chief Information Officer Mukesh Rathi had said in a statement.
While in most cases cyber attackers are behind some of the biggest data breaches, but sometimes loopholes and unprotected servers give access to hackers.
