Digital stockbroking firm Upstox, one of the official partners of the Indian Premier League (IPL), has admitted a data breach, saying that the financial details of its users are completely safe. However, cyber security researchers said at least 25-30 lakh users may be affected and the hacker is asking $1.2 million ransom.
According to independent security researcher Rajshekhar Rajaharia, this is the handiwork of ShinyHunters that has been involved in several hacking incidents involving top Indian companies (including Bigbasket, BuyUcoin and JusPay), and data of 25-30 lakh Upstox users and 5.6 crore KYC files may have been leaked.
Claiming that the funds and securities are protected and remain safe, the Tiger Global-backed company said in a statement that it has upgraded the security systems, based on the recommendations of a global cyber-security firm.
“We brought in the expertise of this globally renowned firm after we received emails claiming unauthorised access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems,” the company said in the statement.
“As a matter of abundant caution, we have also initiated a secure password reset via OTP,” the company added.
According to Rajaharia, the breached database includes bank account details, mobile numbers, pictures of users’ signature, Aadhaar, PAN and passport etc.
Ravi Kumar, Co-founder and CEO of Upstox, said the company takes security and privacy very seriously.
“While we have already reported this incident to the relevant authorities, we deeply regret any inconvenience this may have caused you,” Kumar said.
According to Sonit Jain, CEO of GajShield Infotech, in a rush to scale their business, many a times, enterprises do not focus on data security.
“Being aware of where customer data is located and protecting it, is a must for every organisation, however big or small they maybe. Data security should not be a one-time effort, enterprises need to have a real time visibility to their threat surface and data flows,” Jain said.
ShinyHunters has been involved in several data breaches recently, including allegedly leaking sensitive data of nearly 3.25 lakh users of Delhi-NCR based global cryptocurrency exchange and wallet, BuyUcoin, on the Dark Web.
The hacker has also leaked 19 lakh user records stolen from free online photo editing application Pixlr.
In November last year, one of India’s popular online grocery stores BigBasket, found that data of over 2 crore users had been hacked and were on sale on the Dark Web for over $40,000 — which is reported to be the handiwork of ShinyHunters.
The hacker is allegedly behind over 44 public leaks in 2020 and several are not yet listed. The databases he has contain information of over 125 crore people globally, including more than 20 crore Indians.