Governance & Risk Management , Incident & Breach Response , IT Risk Management
Online Supermarket BigBasket Investigates Data Leak Report
Researchers Say 15GB Database Offered for Sale on Darknet
BigBasket, one of the largest online grocery stores in India, is investigating a report of a data leak that could involve as many as 20 million of its customer records. The data is being offered for sale on a darknet marketplace, according to researchers at the security intelligence firm Cyble.
See Also: JavaScript and Blockchain: Technologies You Can't Ignore
The apparent data leak, which appears to have happened in October, involves a 15GB SQL database that is now for sale on a darknet marketplace for about $40,000, according to Cyble, which has validated some of the data its researchers have discovered.
The leaked data includes full customer names; email identifications; password hashes that could include hashed one-time passwords; PINs; contact numbers, including mobile phone numbers; full addresses; dates of birth; location data; and IP addresses of customer logins, according to Cyble.
The Cyble researchers first alerted BigBasket about the leak on Nov. 1 before publicly disclosing it on Saturday.
In a statement, Bengaluru-based BigBasket notes that it's investigating the leak report and the company has contacted law enforcement agencies and third-party security firms. A spokesperson also notes that the company believes that no customer financial data has been exposed.
"A few days ago, we learned about a potential data breach at Big Basket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it," the company spokesperson says. "We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book."
Founded in 2011, BigBasket, one of the fastest-growing online supermarkets in India, is backed by several high-profile investors, including Alibaba Group, Mirae Asset-Naver Asia Growth Fund and the U.K. government-owned CDC Group. There have also been local media reports about Tata Group taking a 50% stake in the company.
Data Leak
Beenu Arora, the CEO of Cyble, tells Information Security Media Group that it appears that a hacker may have gained unauthorized access to BigBastket's cloud infrastructure, but that he could not comment on any specifics due to the ongoing investigation.
"The level and extent of the access and the potential channel used by the perpetrators have been shared with BigBasket," Arora says. "We won’t be able to comment on it considering its sensitivity and to avoid any adverse impact on their ongoing investigations."
By examining some of the records posted to the darknet marketplace, the Cyble researchers determined that the apparent leak appeared to have happened on Oct. 14 and that the firm first detected it on Oct. 30.
BIGBASKET, INDIA’S LEADING ONLINE SUPERMARKET SHOPPING, ALLEGEDLY BREACHED. PERSONAL DETAILS OF OVER 20 MILLION PEOPLE SOLD IN DARKWEBhttps://t.co/c4lhRi1rGn pic.twitter.com/VvndkgKJSI
— Cyble (@AuCyble) November 7, 2020
By Oct. 31, Cyble had started to validate some of the data before contacting BigBasket the next day about the leak. Since then, the data has been added to AmIBreached.com, Cyble's data breach monitoring platform, which allows users to check their personal data, such as an email address, against the firm's database of known stolen and compromised data.
Tamaghna Basu, CTO at neoEYED, a behavioral analytics firm, says BigBasket should be doing more to inform customers about the leak to ensure they reset their passwords.
Other Breaches
In the last month, security researchers have found several Indian companies may have exposed data due to misconfigured cloud servers and databases.
For example, a misconfigured Microsoft Azure Blob cloud storage server used by Maruti Suzuki, an automobile manufacturer in India, exposed investors' personal and financial data online, according to a security researcher (see: Maruti Suzuki Investor Data Exposed).
At about the same time, an unsecured Amazon Web Services database belonging to India's Dr. Lal PathLabs potentially exposed 50GB of patient data, including notes related to the results of COVID-19 tests (see: Unsecured AWS Database Left Patient Data Exposed).
