India's biggest online grocer alerted to breach, sale of 20m users' data

BigBasket has filed a complaint with the Cyber Crime Cell in Bangalore to investigate if there is a data breach. PHOTO: ST FILE

India's biggest online grocer BigBasket has suffered an alleged data breach that could have led to personal information of more than 20 million users being offered for sale on the Dark Web.

This incident follows a series of data breaches that have affected Indian companies.

The Atlanta-based cyber security firm Cyble made the breach public on Nov 7, after finding the data for sale online for US$40,000 (S$53,650).

It said it detected the alleged breach on Oct 30, as part of its routine monitoring of cyber criminal activity, and reported it to BigBasket on Nov 1.

"The size of the SQL (domain-specific language) file is (around) 15GB, containing close to 20 million user data," according to Cyble.

"More specifically, this includes full names, e-mail IDs, password hashes (potentially hashed OTPs), PIN, contact numbers (mobile plus phone), full addresses, date of birth, location, and IP addresses of login, among many others."

BigBasket has filed a complaint with the Cyber Crime Cell in Bangalore to investigate if there is a data breach.

The nine-year-old e-commerce platform, which has operations in 35 cities across India, is run by the Bangalore-based Innovative Retail Concepts, and is valued at US$2 billion.

The company is backed by, among others, Alibaba Group, Mirae Asset-Naver Asia Growth Fund and the British government-owned CDC group.

In a statement, BigBasket said it was evaluating the extent of the breach and authenticity of the claim with cyber security experts and finding "immediate ways to contain it".

Its co-founder Hari Menon said there was no change in customer behaviour at the moment.

The extent of the breach is still unknown and unclear and our customers know that. What we are certain of is that there is no breach of any financial data whatsoever because we don't store any financial data of our customers," he added.

More people started shopping for groceries online after India imposed a lockdown in late March to contain the spread of the coronavirus. BigBasket saw its sales double from February to July, with its customer base growing by 80 per cent and existing customers buying 25 per cent more.

The Data Security Council of India, in partnership with PayPal, said in an August report that the number of people shopping online in India grew 73 per cent in big cities and 400 per cent in smaller towns. But this had also given rise to scams related to Covid-19 such as Web-skimming, malware attack campaigns and phishing scams, the report noted.

In June, delivery start-up Dunzo, also based in Bangalore, found that personal details of more than 300,000 of its user accounts had been leaked.

Cyble alone reported six breaches involving Indian firms in the past month, including at snack maker Haldiram's, matrimonial-service website and the Indian Railways' online ticketing portal.

Even as user data online becomes more voluminous and more vulnerable, India continues to drag its feet on passing a data protection policy.

The National Cyber Security Coordinator Rajesh Pant told The Economic Times: "The digital explosion that was supposed to happen in five years suddenly happened in five weeks.

"This digital transformation also requires fraud and risk management."

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on November 16, 2020, with the headline India's biggest online grocer alerted to breach, sale of 20m users' data. Subscribe