SUMMARY
Names and mobile numbers provided by potential customers on the EarlySalary website were compromised
The company said the vulnerability has been fixed and the law enforcement agency has been informed
In response to the breach, additional security has been added in apache to block threats
Pune-based fintech startup EarlySalary reported a security breach — the names and mobile numbers uploaded by potential customers on its website were compromised.
Without mentioning the numbers, the company stated that this data belonged to potential customers.
In an important security update on its website, EarlySalary said that the vulnerability has been fixed and the concerned law enforcement agency has been informed about the matter.
The company also claimed that its central customer database, which includes the data — including sensitive personal details and transactions — of all existing EarlySalary customers, remains completely secure and was not impacted by the breach.
In response to the breach, an additional security has been added in apache to block threats. “The database credentials have been changed, and additional security blocks have been placed on the EarlySalary website. We are working with law enforcement to identify the IP source for this incident. We will further enhance security measures within our database and are working towards implementing PCI-DSS certification to make the platform more secure,” the company said.
Also, EarlySalary will inform the Pune Cyber Security Cell about this incident.
Founded in 2015 by Akshay Mehrotra and Ashish Goyal, EarlySalary is a mobile-first lending platform. It provides salary advances and instant cash loans based on a smart risk scoring system. The fintech startup provides salary advances up to 50% of one’s monthly salary to its users. Till date, the startup has raised $22.1 Mn with the latest being $15.7 Mn (INR 100 Cr) in Series B funding led by Eight Roads Ventures India in January 2018.
Data Bill All The More Important As Breaches Increase
The development comes less than a month after foodtech startup FreshMenu owned up to a data breach from 2016 that it had concealed earlier; the breach reportedly affected 110K Indian users.
Earlier, in 2017, restaurant discovery firm Zomato saw the data of 17 Mn users breached; this included users’ email addresses and hashed passwords.
After the Cambridge Analytica debacle impacting 87 Mn users, social networking giant Facebook reported another massive data breach recently. The company said that in the recent breach, attackers exploited a vulnerability in Facebook’s code that impacted the “View As” feature that lets people see what their profile looks like to someone else. The latest FB attack exploited the complex interaction of multiple issues in the code and compromised the data of 50 Mn Facebook users.
In view of increasing data breaches, it becomes all the more imperative to speed up the implementation of the draft Personal Data Protection Bill 2018.
However, Section 32 of the Bill requires data breach notifications to be made to the proposed data protection authority (DPA) only if the breach is likely to cause ‘harm’ to the data principal. This is a matter of concern as the Bill leaves it to the data fiduciary to judge whether the data breach causes “harm” to the data principal.
The Bill, once enacted, prescribes steep penalties up to INR 5 Cr or 2% of the annual global turnover (of the company in question), whichever is higher, for any contravention of its provisions.
A penalty of higher than INR 15 Cr or 4% of the annual global turnover of the company in question is prescribed for violations such as processing of personal data in contravention of the Bill.
