Five Biggest Data Breaches That Hit India in 2021

From Air India to Juspay, a look into the biggest data breaches that have occurred so far in 2021.

With the onset of the pandemic, many companies had to overhaul operations overnight. As several companies made a quick transition to remote working, they were unprepared to deal with security lapses. Consequently, cybercriminals exploited the vulnerabilities, and data breaches rose steadily in India.

“Indian startups run a huge risk of data breaches given gaps in technology infrastructure and evolving practices of cyber laws,” IvyCap Ventures Founder and Managing Partner Vikram Gupta said.

“Startups focused on large consumer bases run the risk of losing trust from their customers if they don’t take proactive measures to prevent this,” he added, noting that laws have to be “strengthened further.”

According to the Indian Computer Emergency Response Team (CERT-In), more than 26,100 Indian websites were hacked in 2020. In one of the biggest data breaches last year, the personal information of over 20 million customers of Bigbasket, India’s leading online grocer, was sold on the dark web.

A 2020 report by IBM estimates that the data breaches have resulted in a loss of $3.86 million on average across 17 geographies surveyed last year.

This year too, cases of data breaches are on the rise. Here’s a look at the five biggest data breaches that made headlines in 2021.

1. Air India data breach

Impact: 4.5 million passenger details

Last week, India’s flag carrier airline Air India announced that the personal data of about 4.5 million passengers had been compromised following a cyber attack on its servers. The breach compromised the information of passengers who had registered with the airline between August 26, 2011, and February 3, 2021, Air India said in a statement.

The stolen data included passengers’ names, date of birth, contact information, credit card details, passport information, Star Alliance and Air India frequent flyer data, and ticket information.

However, in the statement, Air India added that CVV/CVC data of credit cards were not held by its data processor. While passwords weren’t accessed, the airline urged passengers to change their passwords “to ensure safety of their personal data.”

Air India said that SITA passenger service system (PSS), the airline’s data processor, had first flagged the airline about the attack in late February. However, the details of the compromised data were only provided in the following months.

In the statement, the airline also said that it took a number of immediate steps to “ensure safety of the data.” These steps included securing the compromised servers, investigating the incident, notifying the credit card issuers, engaging external data security specialists, and resetting the passwords of Air India frequent flyer programs.

2. Domino’s India data breach

Impact: 180 million order details

In a massive data breach, 180 million order details were stolen from Domino’s India’s database. The news of the breach was first shared by Alon Gal, Co-Founder and CTO of cybercrime intelligence firm Hudson Rock.

In a tweet on April 18, Gal stated that a “threat actor” had claimed to hack Domino’s India and stolen 13TB (terabytes) of data. The leaked information included order details such as names, emails, addresses, GPS location, and phone numbers. Payment details, including information of 1,000,000 credit cards were also stolen, Gal said.

Alarmingly, last week, the hackers made the details of the leaked orders public. Usually, when a data breach occurs, the data is circulated only on the dark web. However, in Domino’s’ case, the hackers created a search engine that is accessible on any browser. This essentially means that anybody can pull details such as a user’s location if they search for a phone number or an email address.

Sharing the details in a tweet, cybersecurity researcher Rajshekhar Rajaharia, wrote, “The worst part of this alleged breach is that people are using this data to spy on people.”

“Anybody can easily search any mobile number and can check a person’s past locations with date and time. This seems like a real threat to our privacy,” he added.

The breach seems to have affected users who have ordered from Domino’s India online or via phone between 2015 to April 2021.

Following the reports of the breach last month, a Domino’s India spokesperson had said, “As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised.”

The company is yet to comment on the recent developments.

3. Juspay data leak

Impact: 100 million user accounts

The records of 100 million users of Bengaluru-headquartered payments processor Juspay were leaked on the dark web through a compromised server of the company. Juspay processes payments for tech companies such as Amazon, Flipkart, Swiggy, and Uber, among others.

The data was first spotted by Rajshekhar Rajaharia on the dark web in early January. The leaked database contains 16 different details corresponding to users’ payment cards. This includes the card brand, expiry date, the masked card number, card type, the last four digits of the card, customer ID, and merchant account ID.

Later, in a blog post, Juspay wrote that the cyberattack had occurred on August 18, 2020. It added that 35 million records with masked card data (which is non-sensitive information) and card fingerprint were breached. Additionally, a part of the company’s metadata, which contained non-anonymized email IDs and phone numbers were also compromised. Juspay added that as it does not store details such as CVV, PINs, or passwords, these were secure.

However, Rajaharia claimed that based on the information he came across on the dark web, 100 million email IDs and phone numbers, along with 45 million card details were leaked.

“On 3 January, I came across a seller on the dark web selling two files of data, one with email addresses and mobile numbers of 100 million customers, while the other had stored card data of 46 million transaction details,” he told CNBC.

4. Upstox data breach

Impact: 2.5 million customer data

Last month, Indian stockbroking firm Upstox alerted its customers of a data breach that compromised users’ contact and Know Your Customer (KYC) data.

According to media reports, the breach affected the personal data of 2.5 million customers. Rajaharia noted that the leaked KYC details included data such as date of birth, email, passport, PAN card, and more. The hacker group ShinyHunters is believed to be behind the breach.

“We would like to assure you that your funds and securities are protected and remain safe,” Upstox CEO Ravi Kumar wrote in a statement. He added that the company also initiated a password reset.

Following the attack, the company took several steps to enhance security, especially at the third-party warehouses. This included additional ring-fencing of its network and real-time 24×7 monitoring.

5. Mobikwik data leak

Impact: 110 million user details

The data of around 110 million users of mobile wallet and payments app MobiKwik was reportedly on sale on the dark web. This breach was also first reported by Rajaharia in early March.

The leaked data includes information such as credit card details, mobile phone numbers, Aadhaar card details, IP address, GPS location, and more. However, MobiKwik denied the claims about the breach.

“Our user and company data is completely safe and secure,” MobiKwik claimed in a tweet. “The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company.”

Later, in a statement, the company added that they “thoroughly investigated” the breach and “did not find any security lapses.”

However, several others, including French cybersecurity expert Elliot Anderson and Australian web security researcher Troy Hunt also corroborated Rajaharia’s claims.

The data was reportedly available for search via a link (now disabled) using the Tor browser. Several users had also tweeted that they found their personal information through the link.

Amid the increasing instances of data breaches in India, security experts have called for better cybersecurity measures by organizations.

“Organisations handling end-user data should be investing more in cybersecurity solutions and practices that will enhance their security posture,” Prakash Bell, Head of Customer Success, India & SAARC, Check Point Software Technologies, told The Indian Express.

“In today’s digitalized world, protecting end-customer information is vital,” he added.

Header image by Sora Shimazaki from Pexels


Share on facebook
Share on twitter
Share on linkedin
Share on email
Reethu Ravi
Reethu is a Staff Writer at Jumpstart.


SEC Compares Crypto

SEC Compares Crypto to “The Wild West”

On September 14, Gary Gensler, the Chairman of U.S. Securities and Exchange Commission (SEC), said that he doesn’t see long-term viability for cryptocurrency. He emphasized the importance of regulating crypto and protecting the interests of investors.

TikTok over Privacy Concerns

Ireland Launches Investigation into TikTok over Privacy Concerns

On September 14, 2021, Ireland’s Data Protection Commission (DPC) launched an investigation into Bytedance-owned TikTok, the popular video sharing app. This investigation comes as TikTok is already facing backlash regarding data privacy concerns. To know more about the app’s highs and lows in 2020, check out this article.

Facebook Cross Check

What Is Facebook’s Cross Check System and How Does It Work?

On September 13, 2021, Wall Street Journal (WSJ) came out with a detailed investigation surrounding Facebook’s content policies titled, “The Facebook Files”. Learn more about the incident here. What jumped out from this investigation was that the “X-check” or cross-check program used by Facebook, which allegedly gives some of the company’s high-profile users special treatment.

Is Telegram the New Dark Web

Is Telegram the New Dark Web?

Every minute, nearly US$3 million is lost to cybercrime. And by 2025, cybercrime is set to cost the world over US$10 trillion. That cybercrime demands our immediate attention is evident. Cybercrimes are becoming easier and more prominent than ever before. A 2019 Global Data Risk Report revealed that, on average, only 5% of companies have properly protected their folders.

How Facebook Has Failed to Administer Its Own Policies

How Facebook Has Failed to Administer Its Own Policies

Social media giant Facebook finds itself making headlines now and then. The recent one is related to Facebook spending the equivalent of 319 years labeling or removing false and misleading content posted in the U.S. during last year. According to internal documents accessed by the Wall Street Journal, the employees at the social media company have raised concerns about the spread of harmful and misleading information on its platforms.