Data of almost 20 million BigBasket users leaked from November 2020 hack | #cybersecurity | #cyberattack

Hackers have uploaded personally identifiable data of around 20 million users belonging to online grocery platform BigBasket on the internet. The hack was first reported by cybersecurity firm Cyble in November last year, which said that the hackers had put up the data for sale for Rs 30 lakh. About 50 different data points such as phone numbers, email IDs, passwords, delivery addresses, order details such as last order date, order value, number of times ordered, etc. has been leaked by hackers.

The incident has come at a time when BigBasket is in the process of being acquired by salt-to-software conglomerate Tata group, and is awaiting a nod from the Competition Commission of India (CCI).

Last year, when the hack was reported, the company said that it had filed a police complaint in with Cyber Crime Cell in Bengaluru and was verifying claims made by cyber experts.

On Monday, the company said in a statement: “This article/social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it’s not recent is that the article /social media post mentions the release of hashed passwords. We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite some time back. Also, our site does not collect or store any sensitive personal data of customers like credit card details. So customer data continues to be safe and no further action needs to be taken by customers”.

Indian firms have recently witnessed several data breaches. Earlier this month, retail broking company Upstox had alerted customers of a security breach that included contact data and KYC details of customers.

Prior to that, last month, hackers had claimed breaching the customer database of e-wallet firm MobiKwik.

India does not have a robust mechanism for user data protection and penal actions, if any, in cases of data breaches. The Personal Data Protection Bill, which is said to contain provisions dealing with the same, has been pending in Lok Sabha since 2019.

A Joint Parliamentary Committee, which was initially supposed to submit its report on the Bill by March, has sought extension till the first week of Parliament’s Monsoon session.

In the absence of the Bill, the Information Technology Act of 2000 and the rules made in 2011 form a regime of data protection, which several experts have said are inadequate.

Original Source link

Leave a Reply

Your email address will not be published.

− five = three