Stockbroking start-up becomes the latest victim amid rising incidences of hacks in India.
Indian Brokerage Firm Upstox Suffers Massive Data Breach
CHENNAI, India — India’s second-largest stockbroking firm Upstox initiated password resets for millions of traders on its platform earlier this month after learning a huge data breach might have hit it.
Chief executive Ravi Kumar announced on April 11 some user data and Know-Your-Customer details — that all financial services firms in India accept to verify user identity — might have been compromised from third-party data-warehouse systems.
“We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm,” Kumar, co-founder of the firm backed by the likes of investment firm Tiger Global Management and Indian industrialist Ratan Tata, said in a statement.
“We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts, and your securities are held with the relevant depositories.”
“As a matter of abundant caution, we have also initiated a secure password reset via One-Time Password.” The start-up, which began in 2012, has raised around $29 million in funding, according to Crunchbase.
While the statement did not disclose the number of user accounts affected in the breach, independent internet security researcher Rajshekhar Rajaharia told Zenger News sensitive data of “almost 2.5 million users were compromised”.
“There’s a forum on the dark web, and it [Upstox data] was posted there asking for $1.2 million in ransom along with data of 100,000 users on Sunday,” Rajaharia said.
“The breach had names, emails, passwords, bank details, KYC soft copies including signatures — which is huge. In data breaches, if your card details are stolen, you can apply for a new one, but you can’t change your signature.”
Upstox’s spokesperson told Zenger News the firm had initiated multiple security enhancements, particularly at the third-party warehouses, real-time 24×7 monitoring, and additional ring-fencing.
“Upstox takes customer security extremely seriously,” the spokesperson said in an email to Zenger News. “Funds and securities of all Upstox customers are protected and remain safe. We have also duly reported this incident to the relevant authorities.”
On April 13, reports of a data breach at cloud communication platform provider Route Mobile spread. But the firm denied the claims.
“We would like to highlight that unverified posts and claims are being circulated about an alleged data breach at Route Mobile,” the firm’s spokesperson said in an email to Zenger News. “Our cybersecurity team is investigating the same.”
“As of today, we can confirm that Route Mobile’s systems are secure, and there is no evidence to suggest that this has any impact on Route Mobile customers’ personal data. As we take all data security claims seriously, we have engaged a third-party cybersecurity consultant to verify and audit our findings independently,” the spokesperson said.
Another financial services firm, MobiKwik, took the same route and denied any data breach the previous month. The firm went on to blame users. Reports claim hackers exposed data of 110 million of the firm’s 120 million users.
“Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik,” a note from MobiKwik states.
Rajaharia says Upstox’s Amazon Web Services key was compromised in the breach, the same reason for the MobiKwik breach.
“About 80-90 percent of companies are breached because Amazon Web Services keys are compromised,” Rajaharia told Zenger News.
“There can be a lot of reasons for this. Some employees use company email ID in other sites, and if those sites are breached, keys can be easily compromised.”
“Work-from-home could be another reason. Inside an office, you have protection and a firewall, but hackers can easily target servers at home. There have been a lot of breaches post-Covid,” he said.
In India, payment gateway Juspay’s data breach affected 35 million users. E-grocer BigBasket confirmed a data breach last year after cyber intelligence firm Cyble said 20 million users were affected and sensitive data leaked. The firm filed a First Information Report with the Bengaluru Police in November 2020 to investigate the incident.
Last year, online edutech firm Unacademy suffered a data breach of 20 million users, with hackers selling the information for $2,000, according to Cyble. Unacademy maintained that the breach impacted only 11 million users of the platform, and no passwords were exposed.
Rajaharia believes “hacker group ShinyHunters was responsible for the Upstox breach and was behind the hacking of Juspay, BigBasket, and Unacademy”.
In another tweet, he said: “It seems after this alleged Upstox data breach, ShinyHunters email account has been suspended. According to Wikipedia, ShinyHunters group is under investigation from the FBI, the Indonesian police, and the Indian police.”
Unlike companies in the U.S., Indian firms are not obligated to disclose data breaches publicly. They are only expected to report breaches, identity thefts, and phishing attacks to the Indian Computer Emergency Response Team (CERT-In). CERT is a nodal agency under the India’s Ministry of Electronics and Information Technology that handles cybersecurity-related issues.
CERT-In did not respond to Zenger News’ queries on the Upstox data breach.
“India is yet to build specific legislation around data protection,” advocate Satyoki Koundinya, who practices in the areas of IT, telecommunication, and IP law, told Zenger News. “However, certain direct and indirect laws and regulations exist.”
“CERT-In Rules of 2013 imposes mandatory notification requirements on service providers, intermediaries, data centers, and corporate entities upon the occurrence of any breach,” Koundinya said.
The Personal Data Protection Bill of 2019 includes provisions like the appointment of a data protection officer, notification of a breach to individuals after the determination of the nature of the breach by CERT-In, and a 2-4 percent global turnover as a penalty for breaches.
“The bill offers similar protection and more stringent compliance, especially with regard to the processing of sensitive personal data, including requiring explicit consent, imposing additional conditions for cross-border transfers, and requiring a copy to be stored in India,” advocate Koundinya said.
Japan was the top attacked country in Asia in 2020, followed distantly by India and Australia, according to a report from IBM Security. Data theft was the most common attack type in Asia in 2020, followed by ransomware.
(Edited by Amrita Das and Gaurab Dasgupta)