Cybercrooks eye Indian startups to steal consumer data: Report

UK-based data security firm BugsBounty.Com said startups having software vulnerabilities expose threat to users' private and financial data

Cybercriminals are looking to exploit vulnerabilities in the IT infrastructure of Indian startups to steal customer data, including passwords and financial details, a report said.

According to a report by UK-based data security firm BugsBounty.Com, 72 out of the 100 major startups it analysed were "negligent" in implementing and maintaining reasonable security practices and procedures.

Read more from our special coverage on "CYBERCRIME"

• 11,997 cards, net banking frauds reported in Apr-Dec 2015: Telecom minister

While the report did not name the companies, it said these were across segments like eCommerce (30), classifieds (14), finance and fin-tech (7), healthcare (7), food-tech (5) and hyperlocal services (3).

With growing Internet penetration and data packs becoming more affordable, consumer-focussed startups have seen business booming. Be it ordering food or furniture online or paying bills, consumers today are much more comfortable making purchases on the web and sharing details like email IDs, address and phone numbers.

"We have been speaking to some of these firms. We have warned them that they may be liable to pay massive compensation to users whose 'personal' and 'sensitive' data they store including passwords and financial information," BugsBounty.Com Director Ankush Johar told PTI.

Citing Section 43A (Compensation for failure to protect data) of Indian IT Act, Johri said the companies may have to shell out as much as Rs 5 crore in case of a data breach.

He added that this is critical, especially since billions of dollars of investor money is riding on these ventures.

"Also, 22 out of the 100 were found to have web server software vulnerabilities that pertain to software on their servers that is known to have bugs, but these startups have not patched those," he said.

This puts all the data on their server at risk including their software code, databases in entirety among others, he added.

Explaining the attack, Johar said a user receives an email asking them to login to the company's and they comply.

"The link is the same URL as that of the startup. The 'cautious' user ensures that the URL in the browser is the same as the sender. The user inputs his or her username and password because it appears to be completely genuine," he said.

However, instead of the company, it is the hacker who receives the username and password.

"This is not a phishing attack because the consumer is indeed logging into the company's website. However, because of the vulnerabilities that the website has, the consumer data can get into the hands of the hacker," he said.

Also, the magnitude of the threat is even higher because with mobile penetration soaring, Johar said.

Consumers on their part should ensure that they change their passwords regularly and keep different sets of passwords for critical services like banking and email, and another set for other non-critical services.

"They shouldn't share any extra information that is not critical for the companies," he said.