Upstox says it has upgraded its systems on the recommendations of a global cybersecurity firm after receiving claims of unauthorised access to its database
According to cybersecurity researcher Rajshekhar Rajaharia, 2.5 Mn users were affected and 56 Mn KYC data files were leaked
Leaked data includes email, date of birth, passport, PAN details and more
Online discount broking platform Upstox suffered a massive data breach affecting the personal data of 2.5 Mn of its customers, according to several media reports on Sunday (April 11, 2021). Thereafter, the company admitted that earlier claims about the data breach were right and it has since enhanced its cybersecurity systems.
According to cybersecurity researcher Rajshekhar Rajaharia, 2.5 Mn users were affected and 56 Mn KYC data files were leaked — including email, date of birth, passport, PAN etc — by hacker group ShinyHunters.
The hacking group is rumoured to have been behind multiple data breaches of Indian startups over the past one year such as Dunzo, BigBasket, JusPay, ChqBook, among others.
“We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems,” said the company on its blog.
The Upstox data leak comes at a time when cybersecurity breaches seem to have picked pace in the past few months — from the data leak of 100 Mn Mobikwik users to 500 Mn+ Facebook users (of which 6 Mn were Indian accounts) to over 500 Mn LinkedIn users.
In one of the biggest data breaches in India, in March, Gurugram-based fintech company MobiKwik was rocked by the allegations of data of over 100 Mn users being leaked. The allegation that was repeatedly denied by the company also led to a warning by the RBI who ordered an external auditor to conduct a forensic audit on the breach.
Last week, Microsoft-owned LinkedIn denied the breach, but Cyber News had reported that scraped data of over 500 Mn LinkedIn users was put for sale on a hacker forum. The data up for sale included account IDs, full names, email addresses, phone numbers, workplace information and links to social media accounts among other details.
In the case of Facebook, leaked data of 533 Mn users was posted for free on hacking forums and included the date of joining, place of work, names, gender, occupation and relationship status of users. The breach affected 6 Mn Indian users and included details such as phone numbers, Facebook IDs, full names, locations, birthdates, bios, and in some cases email addresses. The social media giant told media agencies that the leak was related to a vulnerability that the company patched in 2019.
Similarly, in November last year, data from ‘iimjobs.com’ which included encrypted passwords of 1.4 Mn registered users was allegedly leaked on the dark web.
A report by IBM’s ‘Cost of a Data Breach Report 2020’ states that Indian companies witnessed an average $2 Mn total cost of a data breach in 2020, representing an increase of 9.4% from 2019. A total of over 26,100 Indian websites were hacked last year alone as per the data recorded by the state-owned Indian Computer Emergency Response Team (CERT-In).
