Digital Flaw Found In Bike-Sharing Startup Bounce Leaves 2Mn Users’ Data At Risk

With digitisation presenting many business opportunities, the number of data breach incidents have also been on the rise. Latest to suffer a cybersecurity lapse is bike-sharing startup Bounce. A security researcher has found a digital flaw in the Bengaluru-based startup app.

“One of its internal application programming interface (API) can log the hacker into any Bounce account, bypassing the users’ phone number into the request, and in response, it returns with the access token and rider ID, which can be used to access any Bounce account,” according to a media report.

The vulnerability could have allowed hackers to access the accounts of 2 Mn users and their sensitive information, such as driving license, selfies, phone number, or email addresses, said the report.

Founded in 2014 by Vivekananda HR, Anil G and Varun Agni, Bounce offers a dockless urban mobility solution. The startup recently completed 10 Mn transactions in the city with its 9,500 scooters and around 2 Mn customers.

“A technical bug was detected in our system about a potential vulnerability to some user information. We immediately launched an investigation and fixed the bug to ensure that there is no risk to user data because of the identified bug,” CEO and cofounder of Bounce Vivekananda Hallekere told Inc42.

“The bug does not allow any direct access to the app, therefore any exploitation will require the impersonator to make multiple API calls to recreate the bike booking process without the app, requiring deep programming expertise,” he further added. The startup claimed that it does not collect any sensitive data, including email-ids, bank account, credit card, or other financial information and hence, higher sensitivity user information was never at risk.

While Bounce claims to have strong security processes and measures in place, the incident once again questions the effectiveness of cybersecurity in India.

Why Efficient Cybersecurity Is The Need Of The Hour?

The growth in the data economy in India has been exponential. However, poor security infrastructure has also led to several data-breach incidents recently. Bengaluru-based edtech startup Vedantu confirmed last month that it faced a data breach in the last week of September. Data of 687K Vedantu customers were put at risk as the data breach allegedly exposed customer details including email and IP addresses and names.

Before that, almost 1.3 Mn debit and credit card details were allegedly put up for sale on a website called Joker’s Stash. Media reports said that the database had details from various issuing banks and 98% of the leaked data belonged to Indian customers.

According to a Data Security Council of India (DSCI) report this year, India witnessed the second-highest number of cyber attacks in the world between 2016 and 2018. This comes at a time when digitisation of the Indian economy is predicted to result in a $435 Bn opportunity by 2025.

With such rapid technological advancements and 5G soon coming into play, the need of the hour is an effective cybersecurity policy. The Indian government announced in August that it would unveil an official cybersecurity strategy policy by January 2020, which would focus on new kinds of malware and IoT security. The government said what is needed for internet security is increased effective coordination between ministries that are looking after public-private partnerships.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.