You are currently viewing Customer Data Leak Detected At B2B Logistics Company Shipyaari

Customer Data Leak Detected At B2B Logistics Company Shipyaari


The logistics company exposed the data of thousands of customers because of a leak in its internal shipment information

Since the first detection of the leak in late 2021, Shipyaari has fixed the issue

The leaked Shipyaari data included customer names, addresses, phone numbers, order invoice data and delivery status

Mumbai-based logistics company Shipyaari, which offers logistics services to D2C brands, exposed the personal data of its customers.

According to a TC report, the logistics company exposed the data of thousands of customers because of a leak in its internal shipment information, which lasted for months. The data leak was found by Indian security researcher Ashutosh Barot.

The leaked Shipyaari data included customer names, addresses, phone numbers, order invoice data and delivery status. Since the client tracking page was not password protected, anyone could view the same with the web address, Barot noted.

“The exposed information could later be used to perform targeted social engineering attacks and financial frauds,” Barot told TC.

A query sent by Inc42 to Barot and Shipyaari did not elicit a response.

Since the first detection of the leak in late 2021, Shipyaari has fixed the issue. The logistics major removed all the personally identifiable information, or PII, from its tracking page and put the tracking page behind a security wall that now requires an OTP for access. 

As a rule of thumb, logistics players allow users to check package tracking information by only using the order number or the invoice number. However, it should be standard practice to not display PII on tracking pages anywhere.

Founded in 2013 by Nayan Ratandhyara and Vishal Totla, Shipyaari claims to serve more than 25,000 pin codes, handling 5,000 shipments a day. The logistics company’s website also claims to have partnered with more than 6,000 active sellers across the country.

India has seen its fair share of data leaks over the last few years, but none was as impactful and as badly handled as the MobiKwik data leak last year. Impacting almost 100 Mn users, the data leak was the largest of its kind in the Indian startup ecosystem.

However, not only did MobiKwik threaten the researcher that pointed to the leak, Rajshekhar Rajaharia but also denied the breach altogether and laid the blame for customer data leaking on customers themselves.

MobiKwik, however, was not alone in last year’s data leaks. Since November 2020, data leaks at LimeRoad, BigBasket, Zee5, Chqbook, Upstox and Bizongo saw data of more than 37.5 Mn customers leaked. 

On the other hand, Domino’s India was the scene of a massive data leak, when data related to over 180 Mn orders appeared on the dark web.

India had been working on the Personal Data Protection Bill since 2017 but pulled it back after backlash from various corridors of the industry. The government cited various reasons for pulling the bill back, including an increased compliance burden on startups, and is working on a new bill.



Source link

Leave a Reply