SUMMARY
The company confirmed that it received alerts from AWS about a leak in December 2020
Bizongo said it secured access to the server within a few hours after the notification of the leak
The exposed data reportedly included names, addresses, and phone numbers of the business customers
The cybersecurity vulnerability within the Indian tech ecosystem is growing wider and more apparent by the day, with another report of data leak surfacing this week. This time it’s Mumbai-based Bizongo, a business-to-business (B2B) packaging marketplace that suffered a data leak exposing 2.5 Mn files pertaining to its customers.
While the vulnerability was fixed soon after the discovery in December 2020, it raises the question of whether Indian startups need to reassess their approach towards data security.
Bizongo confirmed the presence of an unsecured database which means it was open for access by third-parties. The company said that it received alerts from AWS about a leak through their S3 buckets about four months ago in December 2020 after which it secured access to the server within a few hours.
Bizongo said that web development firm Website Planet had access to the company’s data when it was open. Website Planet had alerted Bizongo about the vulnerability and worked with the company to fix the issue. However, the company did not reveal whether the data was accessed by other unauthorised third parties.
The exposed data is said to include names, addresses, and phone numbers of Bizongo’s business customers, including but not limited to Flipkart, Swiggy, Curefit, Reliance Retail, Delhivery, Box8, Bunge, Saso, Jodhpur, Neolite, Snapdeal, Carnival Group and others, as per Website Planet.
“Website planet, a security blog has reported having access to our S3 buckets when it was open. They have indicated that their goal is only to secure access to customer’s data and are working with us to help resolve the issue,” Vinothkumar Srinivasan, VP, engineering & product at Bizongo, told Inc42.
“We take data security very seriously and implement best security practices to keep ours and our customer data secure. We have taken strong measures to prevent such accidental misconfiguration from happening in future,” Srinivasan added.
The five-year-old startup offers packaging supplies for ecommerce, retail, restaurant and hospitality, FMCG, industrial logistics sectors. The company claims to have over 350 clients including many leading brands. On being asked if the impacted customers were informed about the leak, Srinivasan said, “We send regular audit reports and any security risks of the data to our customers.”
According to Website Planet, there were a total of 2.5 Mn files that were exposed due to the misconfiguration, which amounted to 643 GB of data.
“With clear examples of branded shipping labels and customer receipts, it was very straightforward to locate the owner of the remaining database,” Website Planet wrote in a blog post, adding, “All of the exposed data were accurately identified with data from real individuals.”
Poor State Of Cybersecurity In Indian Startups
The data leak is just the latest to come to light among the many similar incidents that have seized the headlines and attention of the public in recent months. Recently, Moneycontrol faced a data breach of over 7 lakh users, which was allegedly put on the dark web for sale for $350.
Last week, online discount broking platform Upstox suffered a data breach that allegedly affected 2.5 Mn users.
Earlier, fintech startup Mobikwik denied claims about a data breach impacting 100 Mn users in March 2021. The allegation that was repeatedly denied by the fintech company led to a warning by the RBI who ordered a forensic audit on the breach. Reports of a data breach affecting tech giants Facebook and LinkedIn have also made headlines in recent weeks.
Similarly, in November last year data from iimjobs.com that included encrypted passwords of 1.4 Mn registered users were allegedly leaked on the dark web. Notably, in most cases, the report of a data breach never came from the affected company’s end. Many companies have faced criticism and backlash from users for not being accountable and not informing impacted users about the data leaks or potential breaches.
Update: 14th April, 11:07 AM: Earlier version of the story had incorrectly mentioned Jio as a possible impacted business of the data leak, the same has been edited to reflect the right brand impacted i.e. Reliance Retail.
