Data breaches in two Indian fintech start-ups — Credit Fair
and Chqbook were recently discovered by a web privacy research group called vpnMentor. While the
former start-up has all to deal with online shopping credit to customers the
latter is a finance marketplace which associates customers to credit cards, and
personal loans providers.
The research group's team found that "both Credit Fair
and Chqbook’s entire databases were unprotected and unencrypted. Credit Fair
uses a Mongo Database, while Chqbook uses Elastic Search, neither of which were
protected with any password or firewall.”
With regards to Chqbook, the research group 'claimed' to
have accessed 67 GB of user information including sensitive data, like the
user's telephone number, address , email, Credit card number, expiry date,
transaction history, plain text passwords, gender, income and employment
profile among other fields.
However, Vipul Sharma the founder of Chqbook denied the
research group's claim that 67 GB of user data was comprised, rather he said
that 'Chqbook does not have that much volume of data.'
In the case of Credit Fair, the research group said it was
able to extract 44K user records containing fields, like phone number, detailed
information of their loan applications, PAN number, IP address, session tokens,
Aadhaar number, and more.
The 'lending company' as of now has still not fixed the
issue as per the research group's post of July 31.
This is however not the first case of data breach in Indian start-ups,
numerous well-known start-ups across various sectors have experienced at least
one situation of data breach. Some recent ones include: Truecaller, Justdial,
EarlySalary, Ixigo, FreshMenu, and Zomato.
Hence keeping in mind the ever expanding number of data
breaches in the nation, the Indian government has begun observing the situation
with a much serious eye that too at a policy level and in July, an high-level
panel headed by Justice B.N Srikrishna submitted its recommendations and the
draft Personal Data Protection Bill 2018 to IT minister Ravi Shankar Prasad.
Hopefully the Government's stance on requiring every single
sensitive information of Indian users to be put away or stored locally to
guarantee that the information is easily auditable will be viable this time.