Gurugram-based online travel agency (OTA), Ixigo, is currently investigating the allegations of a user data breach and maintains that, as of now, “there’s nothing conclusive to show that it has actually happened”.
Techcrunch on February 12 reported that “18 million records from travel booking site Ixigo” have been stolen by a hacker as part of 127 million records it stole from eight websites. The story, which was first reported by UK-based tech news website the Register, said that users name, email addresses, scrambled passwords were leaked. Ixigo has said it will clarify the matter by Monday (February 18).
According to Techcrunch, citing hacker’s listings, Ixigo used an old and outdated MD5 hashing algorithm to scramble passwords, which hackers can easily unscramble.
“We are continuing to investigate the alleged breach and have not confirmed anything. We do not store payment, cards or financial information for any of our users. We encrypt and hash our passwords with a one-way hashing algorithm,” Ixigo’s founder Aloke Bajpai told Inc42 in an email correspondence.
Ixigo has now claimed to have already taken pre-emptive security measures, such as two-factor authentication; and have also, as a precaution, reset passwords and security tokens of its users.
Bajpai, along with cofounder Rajnish Kumar launched Ixigo in 2006 and counts Sequoia Capital India, Fosun RZ Capital, SAIF Partners as major investors. The startup claims a user base of over 100 million, as of October 2018. Ixigo allows users to compare and book from more than 120 travel suppliers and OTAs across flights, hotels, trains, cabs and destinations.
Data is being widely touted as the new oil, and as a result it has become very lucrative for hackers to steal it and sell it. Earlier, online food delivery startup Zomato, and FreshMenu, fintech startup EarlySalary, McDonald’s India, Ashley Madison, Sony, and many others have been the victims of data breaches.
Presently, there is no specific legislation that deals with data protection. However, with the growing concern over rising cases of data breaches, the Ministry of Electronics and Information Technology (MeitY) has formulated a Draft Personal Data Protection Bill, 2018. The Bill, once enacted, prescribes penalties up to INR 5 Cr ($700.9K) and can go up to INR 15 Cr ($2.1 Mn) for violations such as processing of personal data, etc.