BigBasket Data Breach: Is Your Data Secure?

According to India’s National Cyber Security Coordinator Lt. Gen. (retd.) Rajesh Pant, 375 cyberattacks take place every day in the country.

Bigbasket, India’s leading online grocer, suffered a potential data breach last month, with the personal information of over 20 million customers allegedly sold on the dark web. The breach was detected by cybersecurity firm Cyble, during one of its routine searches on the dark web for criminal activity.

The firm said that it first detected the breach on October 30, but the hack allegedly occurred on October 14. The firm then validated the breach and informed Bigbasket management on November 1. Later, on November 7, the Atlanta-headquartered cybersecurity firm made the details of the breach public.

In a blog post, Cyble said that the details of 20 million users have been put up for sale on the dark web for $40,000.

“The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others,” the firm wrote.

Headquartered in Bengaluru, Bigbasket is India’s largest online food and grocery store. It is valued at $2 billion and is run by Innovative Retail Concepts Pvt Ltd. It is funded by Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and the U.K. government-owned CDC group.

“A few days ago, we learnt about a potential data breach at Bigbasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book,” BigBasket had said in a statement, according to First Post.

BigBasket added that the privacy and confidentiality of its customers is its priority and that it does not store any financial data such as credit card numbers and “is confident that this financial data is secure.”

“The only customer data that we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information,” the company said, adding that in order to further strengthen cybersecurity, it will continue to proactively engage with industry-leading strategies.

Cyble later revealed that the hacking group “Shinyhunters” was behind the hack, based on a conversation between the group and another cybercriminal which occurred on RaidForums, a marketplace for leaked databases, on November 10. Operational since 2005, the group has been selling a database containing a combined total of 73.2 million user records across 11 different companies including Wattpad, TrueFire.com and Swvl.com, on the dark web.

According to a recent report by IBM, the cost of data breaches has resulted in a loss of $3.86 million on average across 17 geographies surveyed in 2020. The report found that 80% of the incidents resulted in the disclosure of customers’ personally identifiable information (PII).

Finance, technology, and services were among the sectors that experienced the costliest attacks, it added. Furthermore, malicious attacks were responsible for 52% of breaches.

Global cybercrime costs are expected to reach US$10.5 trillion annually by 2025, compared to US$3 trillion in 2015, according to Cybersecurity Ventures. The company has also predicted that there will be a ransomware attack on businesses every 11 seconds by 2021.

Data breaches in India

According to Cyble, there has been an increase in cybercriminal activities in the last 12 months, including threat actors targeting India specifically.

Despite India ranking in the global top 10 for the highest number of Internet users, data privacy and regulatory frameworks in the country are still in their infancy, are relatively weaker compared to those of countries with more mature Internet infrastructure.

According to a recent report by IBM, the cost of data breaches has resulted in a loss of $3.86 million on average across 17 geographies surveyed in 2020. The report found that 80% of the incidents resulted in the disclosure of customers’ personally identifiable information (PII).

“Cyber space is a complex environment of people, software, hardware and services on the Internet. Due to vulnerabilities in software, lack of awareness among people and evolving processes, there are possibilities of increased cybersecurity incidents,” said Sanjay Dhotre, Minister of State for Electronics and Information Technology.

On Monday, November 17, India’s National Cyber Security Coordinator Lt. Gen. (retd.) Rajesh Pant said that India sees 375 cyberattacks every day, and that there are 400,000 malware schemes in operation. The numbers were reported in an article by The Hindu.

Recent incidents of data breaches in India include those at snacks manufacturer Haldiram Snacks Pvt Ltd, online matrimonial service Bharat Matrimony, Indian Prime Minister’s personal website narendramodi.in, Indian Railways’ online ticketing portal IRCTC, and Indian wedding planning website Wedmegood.

Following a series of high-profile security breaches on Twitter, an account linked to Prime Minister Narendra Modi was hacked on September 3, and hackers posted a series of tweets asking to donate cryptocurrency to a relief fund. Cyble later found databases of the website on the dark web, which contained “a substantial amount of Personally Identifiable Information (PII) data belonging to the Prime Minister’s followers.”

Cyble added that the data contains the personal details of over 570,000 users, including their names and email addresses. Another database also showed the details of financial transactions made by donors.

In May this year, Cyble had said that an unidentified individual was allegedly selling the personal data of 47.5 million users of caller ID app Truecaller on the dark web for $1000. However, Truecaller denied the breach and stated, “all our user information is secure.”

Earlier this year, Cyble had also reported that the data of 29 million Indian job seekers from various job portals was allegedly leaked on the dark web. The findings followed a report by an independent security researcher who found a database containing the information of 9.1 million Zoomcar users.

How to find out if your data has been leaked

A haven for cyber criminals, the dark web is an unregulated part of the internet that is not indexed by search engines. As it uses encryption softwares, it provides anonymity for the users and hides their locations.

Through the portal AmiBreached.com, owned by Cyble, users can verify if their personal details have been leaked onto the dark web.

Alternately, the site haveibeenpwned allows users to input their email addresses to check which data breaches they were exposed in, and if their accounts have been compromised.

What to do if your data has been leaked

As data breaches generally occur at organizational levels where hackers access the data of millions of users (as in the case with the BigBasket data breach), there is not much individuals can do in terms of prevention. However, if your data has been compromised through a breach in an organization, there are several steps you should take.

1. Confirm the breach and find out what type of data was stolen

When a breach occurs, it is the responsibility of the company to inform all its users immediately. If you find out about a breach, you can also contact the company to confirm it, and to find out if your information was compromised.

It is also important to find out what type of data was stolen to determine your next course of action. While your name and address are relatively less significant, details such as your date of birth, email address, and financial information, could put you in a more vulnerable position.

2. Accept the company’s offer to help

If the breached company is offering any help to protect you, you should consider accepting it. For instance, after the 2017 data breach of Equifax, a credit reporting agency, which potentially leaked the personal data of 147 million people, the company offered a $425 million settlement to the victims. In addition, the company offered free credit monitoring and identity theft protection services to those who filed claims, cash payments for expenses in some cases, and free credit reports.

3. Change your passwords

If your data has been stolen, it is important to immediately change your account password. In case you use the same password for other any other accounts, you should change those too.

Additionally, you should also change the passwords of your banking platforms. In the cases of apps like BigBasket, many store their debit/credit card information for ease of making purchases. However, in the event of a data breach, it is recommended to remove sensitive financial information from the app. If you continue to store this information, you should activate two-factor authentication for every transaction.

4. Contact your financial institutions

If your credit/debit card information was compromised in a breach, you should immediately contact your bank to cancel and replace it. You should also contact credit-reporting bureaus to place a fraud alert in your name, which will notify you if anyone tries to steal your financial identity.

5. Monitor your accounts

For at least a couple of weeks after the breach, you should closely monitor your banking accounts for any suspicious transactions.

In order to prevent any additional breaches of your data, you should take measures to protect it. An important step in this direction is to be cautious of the information you are sharing and how you are sharing it.

Image by B A from Pixabay

SHARE THIS STORY