Governance & Risk Management , Incident & Breach Response , IT Risk Management

Online Supermarket BigBasket Investigates Data Leak Report

Researchers Say 15GB Database Offered for Sale on Darknet
Online Supermarket BigBasket Investigates Data Leak Report

BigBasket, one of the largest online grocery stores in India, is investigating a report of a data leak that could involve as many as 20 million of its customer records. The data is being offered for sale on a darknet marketplace, according to researchers at the security intelligence firm Cyble.

See Also: JavaScript and Blockchain: Technologies You Can't Ignore

The apparent data leak, which appears to have happened in October, involves a 15GB SQL database that is now for sale on a darknet marketplace for about $40,000, according to Cyble, which has validated some of the data its researchers have discovered.

The leaked data includes full customer names; email identifications; password hashes that could include hashed one-time passwords; PINs; contact numbers, including mobile phone numbers; full addresses; dates of birth; location data; and IP addresses of customer logins, according to Cyble.

The Cyble researchers first alerted BigBasket about the leak on Nov. 1 before publicly disclosing it on Saturday.

In a statement, Bengaluru-based BigBasket notes that it's investigating the leak report and the company has contacted law enforcement agencies and third-party security firms. A spokesperson also notes that the company believes that no customer financial data has been exposed.

"A few days ago, we learned about a potential data breach at Big Basket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it," the company spokesperson says. "We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book."

Founded in 2011, BigBasket, one of the fastest-growing online supermarkets in India, is backed by several high-profile investors, including Alibaba Group, Mirae Asset-Naver Asia Growth Fund and the U.K. government-owned CDC Group. There have also been local media reports about Tata Group taking a 50% stake in the company.

Data Leak

Beenu Arora, the CEO of Cyble, tells Information Security Media Group that it appears that a hacker may have gained unauthorized access to BigBastket's cloud infrastructure, but that he could not comment on any specifics due to the ongoing investigation.

"The level and extent of the access and the potential channel used by the perpetrators have been shared with BigBasket," Arora says. "We won’t be able to comment on it considering its sensitivity and to avoid any adverse impact on their ongoing investigations."

By examining some of the records posted to the darknet marketplace, the Cyble researchers determined that the apparent leak appeared to have happened on Oct. 14 and that the firm first detected it on Oct. 30.

By Oct. 31, Cyble had started to validate some of the data before contacting BigBasket the next day about the leak. Since then, the data has been added to, Cyble's data breach monitoring platform, which allows users to check their personal data, such as an email address, against the firm's database of known stolen and compromised data.

Screenshot of leaked data reportedly linked to BigBasket (Source: Cyble)

Tamaghna Basu, CTO at neoEYED, a behavioral analytics firm, says BigBasket should be doing more to inform customers about the leak to ensure they reset their passwords.

Other Breaches

In the last month, security researchers have found several Indian companies may have exposed data due to misconfigured cloud servers and databases.

For example, a misconfigured Microsoft Azure Blob cloud storage server used by Maruti Suzuki, an automobile manufacturer in India, exposed investors' personal and financial data online, according to a security researcher (see: Maruti Suzuki Investor Data Exposed).

At about the same time, an unsecured Amazon Web Services database belonging to India's Dr. Lal PathLabs potentially exposed 50GB of patient data, including notes related to the results of COVID-19 tests (see: Unsecured AWS Database Left Patient Data Exposed).

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Geetha Nandikotkur

Geetha Nandikotkur

Vice President - Conferences, Asia, Middle East and Africa, ISMG

Nandikotkur is an award-winning journalist with over 20 years of experience in newspapers, audiovisual media, magazines and research. She has an understanding of technology and business journalism and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a group editor for CIO & Leader, IT Next and CSO Forum.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.