BigBasket Data Breach: Is Your Data Secure?

According to India’s National Cyber Security Coordinator Lt. Gen. (retd.) Rajesh Pant, 375 cyberattacks take place every day in the country.

Bigbasket, India’s leading online grocer, suffered a potential data breach last month, with the personal information of over 20 million customers allegedly sold on the dark web. The breach was detected by cybersecurity firm Cyble, during one of its routine searches on the dark web for criminal activity.

The firm said that it first detected the breach on October 30, but the hack allegedly occurred on October 14. The firm then validated the breach and informed Bigbasket management on November 1. Later, on November 7, the Atlanta-headquartered cybersecurity firm made the details of the breach public.

In a blog post, Cyble said that the details of 20 million users have been put up for sale on the dark web for $40,000.

“The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others,” the firm wrote.

Headquartered in Bengaluru, Bigbasket is India’s largest online food and grocery store. It is valued at $2 billion and is run by Innovative Retail Concepts Pvt Ltd. It is funded by Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and the U.K. government-owned CDC group.

“A few days ago, we learnt about a potential data breach at Bigbasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book,” BigBasket had said in a statement, according to First Post.

BigBasket added that the privacy and confidentiality of its customers is its priority and that it does not store any financial data such as credit card numbers and “is confident that this financial data is secure.”

“The only customer data that we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information,” the company said, adding that in order to further strengthen cybersecurity, it will continue to proactively engage with industry-leading strategies.

Cyble later revealed that the hacking group “Shinyhunters” was behind the hack, based on a conversation between the group and another cybercriminal which occurred on RaidForums, a marketplace for leaked databases, on November 10. Operational since 2005, the group has been selling a database containing a combined total of 73.2 million user records across 11 different companies including Wattpad, and, on the dark web.

According to a recent report by IBM, the cost of data breaches has resulted in a loss of $3.86 million on average across 17 geographies surveyed in 2020. The report found that 80% of the incidents resulted in the disclosure of customers’ personally identifiable information (PII).

Finance, technology, and services were among the sectors that experienced the costliest attacks, it added. Furthermore, malicious attacks were responsible for 52% of breaches.

Global cybercrime costs are expected to reach US$10.5 trillion annually by 2025, compared to US$3 trillion in 2015, according to Cybersecurity Ventures. The company has also predicted that there will be a ransomware attack on businesses every 11 seconds by 2021.

Data breaches in India

According to Cyble, there has been an increase in cybercriminal activities in the last 12 months, including threat actors targeting India specifically.

Despite India ranking in the global top 10 for the highest number of Internet users, data privacy and regulatory frameworks in the country are still in their infancy, are relatively weaker compared to those of countries with more mature Internet infrastructure.

According to a recent report by IBM, the cost of data breaches has resulted in a loss of $3.86 million on average across 17 geographies surveyed in 2020. The report found that 80% of the incidents resulted in the disclosure of customers’ personally identifiable information (PII).

“Cyber space is a complex environment of people, software, hardware and services on the Internet. Due to vulnerabilities in software, lack of awareness among people and evolving processes, there are possibilities of increased cybersecurity incidents,” said Sanjay Dhotre, Minister of State for Electronics and Information Technology.

On Monday, November 17, India’s National Cyber Security Coordinator Lt. Gen. (retd.) Rajesh Pant said that India sees 375 cyberattacks every day, and that there are 400,000 malware schemes in operation. The numbers were reported in an article by The Hindu.

Recent incidents of data breaches in India include those at snacks manufacturer Haldiram Snacks Pvt Ltd, online matrimonial service Bharat Matrimony, Indian Prime Minister’s personal website, Indian Railways’ online ticketing portal IRCTC, and Indian wedding planning website Wedmegood.

Following a series of high-profile security breaches on Twitter, an account linked to Prime Minister Narendra Modi was hacked on September 3, and hackers posted a series of tweets asking to donate cryptocurrency to a relief fund. Cyble later found databases of the website on the dark web, which contained “a substantial amount of Personally Identifiable Information (PII) data belonging to the Prime Minister’s followers.”

Cyble added that the data contains the personal details of over 570,000 users, including their names and email addresses. Another database also showed the details of financial transactions made by donors.

In May this year, Cyble had said that an unidentified individual was allegedly selling the personal data of 47.5 million users of caller ID app Truecaller on the dark web for $1000. However, Truecaller denied the breach and stated, “all our user information is secure.”

Earlier this year, Cyble had also reported that the data of 29 million Indian job seekers from various job portals was allegedly leaked on the dark web. The findings followed a report by an independent security researcher who found a database containing the information of 9.1 million Zoomcar users.

How to find out if your data has been leaked

A haven for cyber criminals, the dark web is an unregulated part of the internet that is not indexed by search engines. As it uses encryption softwares, it provides anonymity for the users and hides their locations.

Through the portal, owned by Cyble, users can verify if their personal details have been leaked onto the dark web.

Alternately, the site haveibeenpwned allows users to input their email addresses to check which data breaches they were exposed in, and if their accounts have been compromised.

What to do if your data has been leaked

As data breaches generally occur at organizational levels where hackers access the data of millions of users (as in the case with the BigBasket data breach), there is not much individuals can do in terms of prevention. However, if your data has been compromised through a breach in an organization, there are several steps you should take.

1. Confirm the breach and find out what type of data was stolen

When a breach occurs, it is the responsibility of the company to inform all its users immediately. If you find out about a breach, you can also contact the company to confirm it, and to find out if your information was compromised.

It is also important to find out what type of data was stolen to determine your next course of action. While your name and address are relatively less significant, details such as your date of birth, email address, and financial information, could put you in a more vulnerable position.

2. Accept the company’s offer to help

If the breached company is offering any help to protect you, you should consider accepting it. For instance, after the 2017 data breach of Equifax, a credit reporting agency, which potentially leaked the personal data of 147 million people, the company offered a $425 million settlement to the victims. In addition, the company offered free credit monitoring and identity theft protection services to those who filed claims, cash payments for expenses in some cases, and free credit reports.

3. Change your passwords

If your data has been stolen, it is important to immediately change your account password. In case you use the same password for other any other accounts, you should change those too.

Additionally, you should also change the passwords of your banking platforms. In the cases of apps like BigBasket, many store their debit/credit card information for ease of making purchases. However, in the event of a data breach, it is recommended to remove sensitive financial information from the app. If you continue to store this information, you should activate two-factor authentication for every transaction.

4. Contact your financial institutions

If your credit/debit card information was compromised in a breach, you should immediately contact your bank to cancel and replace it. You should also contact credit-reporting bureaus to place a fraud alert in your name, which will notify you if anyone tries to steal your financial identity.

5. Monitor your accounts

For at least a couple of weeks after the breach, you should closely monitor your banking accounts for any suspicious transactions.

In order to prevent any additional breaches of your data, you should take measures to protect it. An important step in this direction is to be cautious of the information you are sharing and how you are sharing it.

Image by B A from Pixabay


Share on facebook
Share on twitter
Share on linkedin
Share on email
Reethu Ravi
Reethu is a Staff Writer at Jumpstart.


How to Invest in the Cannabis Industry

How to Invest in the Cannabis Industry

Despite cannabis (also known as weed or marijuana) being illegal in a large part of the world, the global cannabis market was worth US$28.26 billion in 2021 and is expected to grow to US$197.74 billion by 2028. Gone are the days when venture capital firms would dismiss cannabis companies as problematic investments.

Why Crypto Markets Crash and 5 Ways Investors Can Deal

Why Crypto Markets Crash and 5 Ways Investors Can Deal

With more and more people holding cryptocurrencies today, the crypto crash of May 2022 has had severe financial consequences. Reliable currencies, including Bitcoin and Ether, met a terrible fate, as did stablecoins, amounting to losses of over US$300 billion.

How Lemi Is Helping Small Businesses Reach Their Customers

How Lemi Is Helping Small Businesses Reach Their Customers

Starting a business isn’t easy. From finding raw materials and making your products to actually reaching the right customer base, everything takes a lot of time and energy. Even though this process is so hard, a lot of people venture out and start their own businesses, so much so that small business enterprises (SMEs) make up 90% of the world’s businesses.

What Is CateCoin and Is It Legit

What Is CateCoin and Is It Legit?

At a time when meme coins, like Dogecoin and Shiba Inu, are enjoying immense popularity, another cryptocurrency has been laying the groundwork to compete with them: CateCoin.

Companies that Might Accept Crypto Payments in 2022

Companies that Might Accept Crypto Payments in 2022

The cryptocurrency industry is growing rapidly, and with that growth comes increased interest from companies looking to accept crypto payments. While there are already a few major companies that accept cryptocurrency payments, like Microsoft and PayPal, many more are considering following suit.