BigBasket faces potential data breach; details of 20 mn users put on sale

Names, email IDs, password hashes, contact numbers, addresses of users put on sale on dark web, claims cyberintelligence firm Cyble

Online grocery platform BigBasket has become the latest target of cyberattack in India.

The company has faced a potential data breach with the information of over 20 million customers on the darkweb for sale, according to US-based cybersecurity intelligence firm Cyble.

The data, being sold for $40,000, includes the full names, email IDs, password hashes (potentially hashed OTPs), PIN, contact numbers, addresses, dates of birth, location, and IP addresses of login, among other bits of information, says a Cyble blogpost.

The Bengaluru-based start-up has lodged a complaint with the city’s cybercrime cell and is evaluating the extent of the breach and authenticity of the claim in consultation with cyber security experts.

“The privacy and confidentiality of our customers are our priority and we do not store any financial data, including credit card numbers, and are confident that this financial data is secure,” said the Alibaba-backed company in a statement.

“The only customer data we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information,” it added.

According to the Cyble blogpost, the alleged breach occurred on October 14 and the BigBasket management was informed about it on November 1.

While online commerce has made lives easier, this convenience could come at a cost, say experts.

Last month, Hyderabad-based pharmaceuticals company Dr Reddy’s had to shut its plants across the globe after a cyberattack on its servers. In May this year, Facebook-backed edtech start-up Unacademy had become the target of cyber attack with the data of over 20 million of the platform’s users leaked and put on sale on the darkweb.

According to an IBM survey, the average cost of a data breach in India touched ~14 crore in 2020, an increase of 9.4 per cent from last year, as the average time to contain a data breach increased from 77 to 83 days a year. The top three root causes of data breach are malicious attacks, system glitches, and human error in the country, added the report.

While the opinion is uniform that data is a critical asset that can help sharpen business outreach and increase profits, it should be treated as a tradeable asset, say experts.

“Instead of treating it as a commodity that needs to be hidden behind large security measures, the industry and regulatory bodies need to move towards treating data as a tradeable asset and data economy infrastructure wherein consumers will be more comfortable and slightly richer and data pirates have less of an incentive to breach and sell it,” said Ankit Chaudhari, chief executive officer and founder, Aiisma, a data marketplace.

“Or else security will keep becoming expensive and hackers sophisticated, a scenario in which neither consumer nor company wins,” Chaudhari added.