Retail broking firm Upstox suffered a massive data breach affecting the personal data of 2.5 Mn of its customers, according to several media reports on Sunday (April 11, 2021). Thereafter, the company admitted that earlier claims about the data breach were right and it has since strengthened its cybersecurity systems.
According to cybersecurity researcher Rajshekhar Rajaharia, 2.5 Mn users were affected and 56 Mn KYC data files were leaked — including email, date of birth, passport, PAN, etc. — by hacker group ShinyHunters.
The hacking group is rumored to have been behind multiple data breaches of Indian startups over the past one year such as Dunzo, BigBasket, JusPay, ChqBook, among others.
“We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems,” said the company on its blog.
The Upstox data leak comes at a time when cybersecurity breaches seem to have picked pace in the past few months — from the data leak of 100 Mn Mobikwik users to 500 Mn+ Facebook users (of which 6 Mn were Indian accounts) to over500 Mn LinkedIn users.
In one of the biggest data breaches in India, in March, Gurugram-based fintech company MobiKwik was rocked by the allegations of data of over 100 Mn users being leaked. The allegation that was repeatedly denied by the company also led to a warning by the RBI who ordered an external auditor to conduct a forensic audit on the breach.
Last week, Microsoft-owned LinkedIn denied the breach, but Cyber News had reported that scraped data of over 500 Mn LinkedIn users was put for sale on a hacker forum. The data up for sale included account IDs, full names, email addresses, phone numbers, workplace information, and links to social media accounts among other details.
In the case of Facebook, leaked data of 533 Mn users was posted for free on hacking forums and included the date of joining, place of work, names, gender, occupation, and relationship status of users. The breach affected 6 Mn Indian users and included details such as phone numbers, Facebook IDs, full names, locations, birthdates, bios, and in some cases email addresses. The social media giant told media agencies that the leak was related to a vulnerability that the company patched in 2019.