BANGALORE - India's biggest online grocer BigBasket has suffered a potential data breach that could allegedly have led to personal information of over 20 million users being offered for sale on the Dark Web.
This incident follows a series of data breaches that have impacted Indian companies.
Atlanta-based cyber-security firm Cyble Inc made the breach public on Nov 7 after finding the data for sale online for US$40,000 (S$54,000).
The firm said that it detected the alleged breach on Oct 30 as part of its routine monitoring of cyber criminal activity, and reported it to BigBasket on Nov 1.
"The size of the SQL (domain-specific language) file is (around) 15GB, containing close to 20 million user data.
"More specifically, this includes full names, e-mail IDs, password hashes (potentially hashed OTPs), PIN, contact numbers (mobile plus phone), full addresses, date of birth, location, and IP addresses of login, among many others," said Cyble Inc.
BigBasket has filed a complaint with the Cyber Crime Cell in Bangalore to investigate if there is a data breach.
The nine-year-old e-commerce platform, which operates in 35 Indian cities, is run by Bangalore-based Innovative Retail Concepts, and is valued at US$2 billion.
The company is backed by, among others, Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and the British government-owned CDC group.
In a statement, BigBasket said it was evaluating the extent of the breach and authenticity of the claim with cyber-security experts and finding "immediate ways to contain it".
BigBasket co-founder Hari Menon said there was no change in customer behaviour at the moment.
"The extent of the breach is still unknown and unclear and our customers know that. What we are certain of is that there is no breach of any financial data whatsoever because we don't store any financial data of our customers," said Mr Menon.
More people started shopping for groceries online after India imposed a lockdown in late March to contain the spread of coronavirus.
BigBasket saw its sales double from February to July, its customer base grow by 80 per cent and existing customers buy 25 per cent more.
The Data Security Council of India, in partnership with PayPal, said in an August report that the number of people shopping online in India grew at 73 per cent for big cities and at 400 per cent in smaller towns.
However, this had also given rise to scams related to Covid-19 such as Web-skimming, malware attack campaigns and phishing scams, the report said.
In June, Bangalore-based delivery start-up Dunzo had found that personal details of more than 300,000 of its user accounts were leaked.
Cyble alone reported six cyber breaches involving Indian companies in the past month, including at snack maker Haldirams, the Indian Prime Minister's personal website, matrimonial services website BharatMatromony.com, and the Indian railways' online ticketing portal.
The National Cyber Security Coordinator Rajesh Pant told The Economic Times: "The digital explosion that was supposed to happen in five years suddenly happened in five weeks. This digital transformation also requires fraud and risk management."
Even as user data online become more voluminous and more vulnerable, India continuous to drag its feet on passing a data protection policy.