 "BigBasket breach: How can people check if their data was hacked?")
The Dark Web is an unregulated part of the internet. It is not indexed by search engines. Dark Websites are deliberately bare-bones, without named urls. This is a haven for cybercriminals, and also those who wish to avoid being “outed” by search engines, or tracked by unfriendly regimes.
The cyber-security firm, Cyble, routinely searches the Dark Web for criminal activity. On October 30, Cyble discovered that India’s online supermarket, BigBasket, had been hacked. The data of around 20 million BigBasket customers were being hawked on the Dark Web at an asking price equivalent to $40,000. This included fields such as full names, email IDs, mobile numbers, data of birth, login location and IP, password hashes (hashed OTPs), pins, full physical addresses, and IP addresses.
When was the data hacked?
Cyble estimates the hacking was done around October 14. After validating the data, it informed the Bengaluru-based BigBasket. Cyble went public with the information on November 7. BigBasket did not disclose the incident to its users between November 1 and 7. It has since issued a statement that credit card/debit card/net banking details were not disclosed in the breach.
Where does this leave the customer?
If the Dark Web does have all those data, as well as any card details (maybe somewhere else if not in the BigBasket file), you may be vulnerable to identity theft or a card hack.
Of course, you may file some sort of complaint about the breach. But there is no data privacy law in India. Arguably, much of this information could be legally sold — there is a thriving trade in digital data. Anyhow, glaciers in Antarctica melt faster than cases moving through Indian courts.
How can people check if their data was hacked?
Many tools on the Web can help you check if there’s private data about you on the Dark Web. Cyble offers a tool at https://amibreached.com/ (also accessible via an app). This has included the BigBasket data.
A positive result on a search will tell you there is indeed data about you stacked on the Dark Web. Don’t be surprised; most net users have at some time or the other used some service, which has been compromised. You can probe further to check what that data is.
If there’s a negative result, you can breathe half a sigh of relief. It’s very possible that some of your private data is sitting out there, but at least it hasn’t been picked up by a major cyber-security outfit yet and it may not be very damaging.
What can be done if data has been compromised?
There’s not much you can do about certain data being exposed. It’s hard to change physical address. Changing your email and mobile number are irritating. It’s even harder to change your name (the name-switch will leave a web record anyhow).
But you can change your email passwords, and pins for instance. If your data has been leaked from a site, which may have your financial details, it is possible, and may be prudent, to “hot-list” your cards and request replacements. Be aware this leaves you cash/cheque-dependent until new cards arrive.
How can one make online transactions safer?
Here are some guidelines for safer (not safe, but safer) online transactions. Never save card details to avoid these being sucked up if the site gets hacked. It is safer to use a credit card than a debit card. A debit card directly draws on cash in your account. If a credit card is hacked, you may, or may not, be liable for whatever fraudulent transactions are made. But a debit card hack could wipe out your bank account.
In future, use virtual credit cards. Most banks offer these for free, though they may call it something else. (HDFC Bank calls it netsafe.) The bank creates a virtual credit card on request, giving you a credit card number and CVV (card verification value — the 3-digit pin on every card). The virtual card works online like a normal credit card. But it expires within a day or two, and you set exact transaction limits.
Let’s say you buy a new mobile for Rs 15,000. Create a virtual credit card with a limit of Rs 15,500 (just in case). The balance Rs 500 will be credited to your bank account on expiry. The card expires the next day. Your real card and bank details remain protected. This adds a layer of protection.
One subscription. Two world-class reads.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%