From Air India to Juspay, a look into the biggest data breaches that have occurred so far in 2021.
With the onset of the pandemic, many companies had to overhaul operations overnight. As several companies made a quick transition to remote working, they were unprepared to deal with security lapses. Consequently, cybercriminals exploited the vulnerabilities, and data breaches rose steadily in India.
“Indian startups run a huge risk of data breaches given gaps in technology infrastructure and evolving practices of cyber laws,” IvyCap Ventures Founder and Managing Partner Vikram Gupta said.
“Startups focused on large consumer bases run the risk of losing trust from their customers if they don’t take proactive measures to prevent this,” he added, noting that laws have to be “strengthened further.”
According to the Indian Computer Emergency Response Team (CERT-In), more than 26,100 Indian websites were hacked in 2020. In one of the biggest data breaches last year, the personal information of over 20 million customers of Bigbasket, India’s leading online grocer, was sold on the dark web.
A 2020 report by IBM estimates that the data breaches have resulted in a loss of $3.86 million on average across 17 geographies surveyed last year.
This year too, cases of data breaches are on the rise. Here’s a look at the five biggest data breaches that made headlines in 2021.
Air India data breach
Impact: 4.5 million passenger details
Last week, India’s flag carrier airline Air India announced that the personal data of about 4.5 million passengers had been compromised following a cyber attack on its servers. The breach compromised the information of passengers who had registered with the airline between August 26, 2011, and February 3, 2021, Air India said in a statement.
The stolen data included passengers’ names, date of birth, contact information, credit card details, passport information, Star Alliance and Air India frequent flyer data, and ticket information.
However, in the statement, Air India added that CVV/CVC data of credit cards were not held by its data processor. While passwords weren’t accessed, the airline urged passengers to change their passwords “to ensure safety of their personal data.”
Air India said that SITA passenger service system (PSS), the airline’s data processor, had first flagged the airline about the attack in late February. However, the details of the compromised data were only provided in the following months.
In the statement, the airline also said that it took a number of immediate steps to “ensure safety of the data.” These steps included securing the compromised servers, investigating the incident, notifying the credit card issuers, engaging external data security specialists, and resetting the passwords of Air India frequent flyer programs.
Domino’s India data breach
Impact: 180 million order details
In a massive data breach, 180 million order details were stolen from Domino’s India’s database. The news of the breach was first shared by Alon Gal, Co-Founder and CTO of cybercrime intelligence firm Hudson Rock.
In a tweet on April 18, Gal stated that a “threat actor” had claimed to hack Domino’s India and stolen 13TB (terabytes) of data. The leaked information included order details such as names, emails, addresses, GPS location, and phone numbers. Payment details, including information of 1,000,000 credit cards were also stolen, Gal said.
The threat actor is looking for around $550,000 for the database and saying they have plans to build a search portal to enable querying the data. pic.twitter.com/o2UuA7LWXJ
— Alon Gal (Under the Breach) (@UnderTheBreach) April 18, 2021
Alarmingly, last week, the hackers made the details of the leaked orders public. Usually, when a data breach occurs, the data is circulated only on the dark web. However, in Domino’s’ case, the hackers created a search engine that is accessible on any browser. This essentially means that anybody can pull details such as a user’s location if they search for a phone number or an email address.
Sharing the details in a tweet, cybersecurity researcher Rajshekhar Rajaharia, wrote, “The worst part of this alleged breach is that people are using this data to spy on people.”
“Anybody can easily search any mobile number and can check a person’s past locations with date and time. This seems like a real threat to our privacy,” he added.
The worst part of this alleged breach is that people are using this data to spy on people. Anybody can easily search any mobile number and can check a person's past locations with date and time. This seems like a real threat to our privacy. #InfoSec #GDPR #DataLeak pic.twitter.com/5G494xJSCf
— Rajshekhar Rajaharia (@rajaharia) May 22, 2021
The breach seems to have affected users who have ordered from Domino’s India online or via phone between 2015 to April 2021.
Following the reports of the breach last month, a Domino’s India spokesperson had said, “As a policy we do not store financial details or credit card data of our customers, thus no such information has been compromised.”
The company is yet to comment on the recent developments.
Juspay data leak
Impact: 100 million user accounts
The records of 100 million users of Bengaluru-headquartered payments processor Juspay were leaked on the dark web through a compromised server of the company. Juspay processes payments for tech companies such as Amazon, Flipkart, Swiggy, and Uber, among others.
The data was first spotted by Rajshekhar Rajaharia on the dark web in early January. The leaked database contains 16 different details corresponding to users’ payment cards. This includes the card brand, expiry date, the masked card number, card type, the last four digits of the card, customer ID, and merchant account ID.
Later, in a blog post, Juspay wrote that the cyberattack had occurred on August 18, 2020. It added that 35 million records with masked card data (which is non-sensitive information) and card fingerprint were breached. Additionally, a part of the company’s metadata, which contained non-anonymized email IDs and phone numbers were also compromised. Juspay added that as it does not store details such as CVV, PINs, or passwords, these were secure.
However, Rajaharia claimed that based on the information he came across on the dark web, 100 million email IDs and phone numbers, along with 45 million card details were leaked.
“On 3 January, I came across a seller on the dark web selling two files of data, one with email addresses and mobile numbers of 100 million customers, while the other had stored card data of 46 million transaction details,” he told CNBC.
Upstox data breach
Impact: 2.5 million customer data
Last month, Indian stockbroking firm Upstox alerted its customers of a data breach that compromised users’ contact and Know Your Customer (KYC) data.
According to media reports, the breach affected the personal data of 2.5 million customers. Rajaharia noted that the leaked KYC details included data such as date of birth, email, passport, PAN card, and more. The hacker group ShinyHunters is believed to be behind the breach.
“We would like to assure you that your funds and securities are protected and remain safe,” Upstox CEO Ravi Kumar wrote in a statement. He added that the company also initiated a password reset.
Following the attack, the company took several steps to enhance security, especially at the third-party warehouses. This included additional ring-fencing of its network and real-time 24×7 monitoring.
Mobikwik data leak
Impact: 110 million user details
The data of around 110 million users of mobile wallet and payments app MobiKwik was reportedly on sale on the dark web. This breach was also first reported by Rajaharia in early March.
The leaked data includes information such as credit card details, mobile phone numbers, Aadhaar card details, IP address, GPS location, and more. However, MobiKwik denied the claims about the breach.
“Our user and company data is completely safe and secure,” MobiKwik claimed in a tweet. “The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company.”
Our user and company data is completely safe and secure.
— MobiKwik (@MobiKwik) March 4, 2021
The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company. 2/n
Later, in a statement, the company added that they “thoroughly investigated” the breach and “did not find any security lapses.”
However, several others, including French cybersecurity expert Elliot Anderson and Australian web security researcher Troy Hunt also corroborated Rajaharia’s claims.
The data was reportedly available for search via a link (now disabled) using the Tor browser. Several users had also tweeted that they found their personal information through the link.
Amid the increasing instances of data breaches in India, security experts have called for better cybersecurity measures by organizations.
“Organisations handling end-user data should be investing more in cybersecurity solutions and practices that will enhance their security posture,” Prakash Bell, Head of Customer Success, India & SAARC, Check Point Software Technologies, told The Indian Express.
“In today’s digitalized world, protecting end-customer information is vital,” he added.
Header image by Sora Shimazaki from Pexels