A web privacy research group, vpnMentor has found data breaches in two Indian fintech startups — Credit Fair and Chqbook on July 24. While Credit Fair provides online shopping credit to customers. Chqbook is a finance marketplace which connects customers to credit cards, and personal loans providers.
vpnMentor said in blog post, “our team discovered that both Credit Fair and Chqbook’s entire databases were unprotected and unencrypted. Credit Fair uses a Mongo Database, while Chqbook uses Elastic Search, neither of which were protected with any password or firewall.”
For Chqbook, the research group claimed to have accessed 67 GB of user data including sensitive information such as user’s phone number, physical address, email, credit card number, expiry date, transactions history, plain text passwords, gender, income, and employment profile among other fields.
Talking to Inc42, Chqbook founder Vipul Sharma agreed that the company’s database was left vulnerable for a couple of hours on one day but it was soon secured by the team. However, Vipul denied the vpnMentor’s claim that 67 GB of user data was comprised, instead he said that Chqbook does not have that much volume of data.
According to Vipul, currently 20 Mn customers spread across 25 Indian cities interact with the Chqbook’s platform. He claimed that all of the Chqbook user data is locally saved in the Mumbai servers of Amazon Web Services and is securely encrypted.
Chqbook’s target customers include SMEs and SME employees and the average demographic of its user base is equally split between salaried and self-employed users with an average credit score of 700, according to Vipul.
Till now, Chqbook has raised seed funding from a clutch of investors such as Startup Buddy, Harsha Bhogle, Apurva Chamaria, Sachin Arora, Bharat Gupta, and Amit Manocha.
Further, in the case of Credit Fair, vpnMentor group said it was able to extract 44K user records containing fields such as phone number, detailed information of their loan applications, PAN number, IP address, session tokens, Aadhaar number, and more.
The lending company has still not fixed the issue according to vpnMentor’s post of July 31. An Inc42 query to Credit Fair also did not elicit a response till the time of publication.
Stressing on the dangers of such a privacy loophole, vpnMentor’s said, “If all of this unsecured information was combined, malicious agents and criminals would have a substantial picture of an individual customer’s personal financial records.”
“This information could be used in a number of harmful and illegal ways including account takeover, identity fraud, phishing, blackmail and even extortion.” it added.
In May, India was reported as the second most cyber attacks affected country between 2016 to 2018. The average cost for a data breach in India has risen 7.9% since 2017, with the average cost per breached record mounting to INR 4,552 ($64).
Other Data Breach Cases In Startups
This is not the first case of data breach in Indian startups, many prominent startups across sectors have undergone a data breach. Some recent ones include Truecaller, Justdial, EarlySalary, Ixigo, FreshMenu, and Zomato.
Recently last week, Truecaller has encountered a serious bug which led to automatic creation of UPI accounts for its users. However, the company later disabled the new update which had triggered this bug.
Earlier in October 2018, another fintech startup EarlySalary was reported to have experienced a security breach, which compromised names and mobile numbers uploaded by potential customers on its website. However, the number of leaked records could not be determined at that time.
Also in April, two subsequent privacy loopholes were discovered in the hyperlocal search engine Justdial. This data breach was said to have exposed sensitive data of over 100 Mn Indian users.
In February, travel booking platform Ixigo was reported to have leaked 18 Mn user records. This leak had exposed users name, email addresses, and scrambled passwords. Ixigo was reported to have used an old and outdated MD5 hashing algorithm to scramble passwords, which hackers were easily able to unscramble.
With the increasing number of data breaches in the country, the Indian government has been taking some steps at a policy level. In July, a high-level panel headed by Justice B.N Srikrishna submitted its recommendations and the draft Personal Data Protection Bill 2018 to IT minister Ravi Shankar Prasad.
Commenting on the government plans of introducing a data protection bill, Vipul said that he supports the government’s stance on requiring all sensitive data of Indian users to be stored locally to ensure that the data easily auditable.