Fintech Startups Data Breach: Leak Closed Off Within Hours Says Chqbook

Fintech Startups Data Breach: Leak Closed Off Within Hours Says Chqbook

SUMMARY

vpnMentor is the web privacy research group which discovered the data breach

It has also reported a data breach in another fintech startup Credit Fair

On July 31, Credit Fair was yet to fix the loophole

A web privacy research group, vpnMentor has found data breaches in two Indian fintech startups — Credit Fair and Chqbook on July 24. While Credit Fair provides online shopping credit to customers. Chqbook is a finance marketplace which connects customers to credit cards, and personal loans providers. 

vpnMentor said in blog post, “our team discovered that both Credit Fair and Chqbook’s entire databases were unprotected and unencrypted. Credit Fair uses a Mongo Database, while Chqbook uses Elastic Search, neither of which were protected with any password or firewall.”

For Chqbook, the research group claimed to have accessed 67 GB of user data including sensitive information such as user’s phone number, physical address, email, credit card number, expiry date, transactions history, plain text passwords, gender, income, and employment profile among other fields. 

Talking to Inc42, Chqbook founder Vipul Sharma agreed that the company’s database was left vulnerable for a couple of hours on one day but it was soon secured by the team. However, Vipul denied the vpnMentor’s claim that 67 GB of user data was comprised, instead he said that Chqbook does not have that much volume of data. 

According to Vipul, currently 20 Mn customers spread across 25 Indian cities interact with the Chqbook’s platform. He claimed that all of the Chqbook user data is locally saved in the Mumbai servers of Amazon Web Services and is securely encrypted.  

Chqbook’s target customers include SMEs and SME employees and the average demographic of its user base is equally split between salaried and self-employed users with an average credit score of 700, according to Vipul. 

Till now, Chqbook has raised seed funding from a clutch of investors such as Startup Buddy, Harsha Bhogle, Apurva Chamaria, Sachin Arora, Bharat Gupta, and Amit Manocha.

Further, in the case of Credit Fair, vpnMentor group said it was able to extract 44K user records containing fields such as phone number, detailed information of their loan applications, PAN number, IP address, session tokens, Aadhaar number, and more. 

The lending company has still not fixed the issue according to vpnMentor’s post of July 31. An Inc42 query to Credit Fair also did not elicit a response till the time of publication.

Stressing on the dangers of such a privacy loophole, vpnMentor’s said, “If all of this unsecured information was combined, malicious agents and criminals would have a substantial picture of an individual customer’s personal financial records.”

“This information could be used in a number of harmful and illegal ways including account takeover, identity fraud, phishing, blackmail and even extortion.” it added. 

In May, India was reported as the second most cyber attacks affected country between 2016 to 2018. The average cost for a data breach in India has risen 7.9% since 2017, with the average cost per breached record mounting to INR 4,552 ($64). 

Other Data Breach Cases In Startups 

This is not the first case of data breach in Indian startups, many prominent startups across sectors have undergone a data breach. Some recent ones include Truecaller, Justdial, EarlySalary, Ixigo, FreshMenu, and Zomato.

Recently last week, Truecaller has encountered a serious bug which led to automatic creation of UPI accounts for its users. However, the company later disabled the new update which had triggered this bug. 

Earlier in October 2018, another fintech startup EarlySalary was reported to have experienced a security breach, which compromised names and mobile numbers uploaded by potential customers on its website. However, the number of leaked records could not be determined at that time. 

Also in April, two subsequent privacy loopholes were discovered in the hyperlocal search engine Justdial. This data breach was said to have exposed sensitive data of over 100 Mn Indian users. 

In February, travel booking platform Ixigo was reported to have leaked 18 Mn user records. This leak had exposed users name, email addresses, and scrambled passwords. Ixigo was reported to have used an old and outdated MD5 hashing algorithm to scramble passwords, which hackers were easily able to unscramble.

With the increasing number of data breaches in the country, the Indian government has been taking some steps at a policy level. In July, a high-level panel headed by Justice B.N Srikrishna submitted its recommendations and the draft Personal Data Protection Bill 2018 to IT minister Ravi Shankar Prasad. 

Commenting on the government plans of introducing a data protection bill, Vipul said that he supports the government’s stance on requiring all sensitive data of Indian users to be stored locally to ensure that the data easily auditable. 

Step up your startup journey with BHASKAR! From resources to networking, BHASKAR connects Indian innovators with everything they need to succeed. Join today to access a platform built for innovation, growth, and community.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Fintech Startups Data Breach: Leak Closed Off Within Hours Says Chqbook-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Fintech Startups Data Breach: Leak Closed Off Within Hours Says Chqbook-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Fintech Startups Data Breach: Leak Closed Off Within Hours Says Chqbook-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Fintech Startups Data Breach: Leak Closed Off Within Hours Says Chqbook-Inc42 Media
Fintech Startups Data Breach: Leak Closed Off Within Hours Says Chqbook-Inc42 Media
You’re in Good company