[UPDATE] Flipkart, Myntra User Data Compromised Again In Phishing Scam

Data of Flipkart and Myntra users was reportedly compromised by a phishing group operating from two offices in Noida. The city police’s cybercrime cell arrested 45 people working in a fake call centre setup. 

The gang was found to be in possession of sensitive user data including names, email IDs, shipping address, customer buying history and order IDs, according to a media report. 

Vaibhav Krishna, chief of Noida Police reportedly said that the data was in fact sourced from the ecommerce companies Flipkart and Myntra but they are still investigating whether the companies had authorised this data sourcing. 

Interestingly, almost half (22) of the arrested people were women. According to the police, the gang conned customers by posing as Flipkart and Myntra representatives and offered cashbacks to customers on past purchases. 

In some cases, the customers were offered a 10%-20% discount on their next purchase towards which they had to pay a registration amount (INR 3K-10K) through UPI or online transaction made to the caller. Dileep Saroj, the alleged head of the gang is yet to be arrested, the report added. 

This is not the first case of phishing reports in ecommerce companies. In April this year, the Uttar Pradesh Special Task Force also caught a similar gang responsible for the data leak of 14 Lakh online shoppers, amounting to a loss of INR 200 Cr. 

The Nandan Rao Patel-led gang targeted customers of major ecommerce platforms such as Flipkart, Amazon, Myntra, Paytm, Snapdeal, Shopclues, and HomeShop18 among others. Similar to the latest incident, scammers in UP made fake calls, posing as the representatives of ecommerce companies and convinced customers to transfer money. . 

Cybersecurity Concerns Rise In India

According to the Data Security Council of India (DSCI) report, India saw the second-highest number of cyber-attacks between 2016 and 2018. The average cost incurred for a data breach in the country has also risen 7.9% since 2017, with the average cost per breached record amounting to INR 4,552 ($64). The Indian government has also announced plans to launch a cybersecurity policy by January 2020. 

Cybersecurity company Sequretek found Pankit Desai told Inc42, “As new-age business models shift from supply chain centricity to value chain centricity; the link between various companies’ technologies has become one of the biggest security gaps that businesses will have to fight in the near future.” 

He also noted the upcoming adoption of 5G network will further intensify cybersecurity risks for businesses in India.

Ecommerce companies had been setting multiple checks and balances to mitigate these cases of online fraud. Artificial intelligence startup ThirdWatch has also developed a solution for ecommerce companies to catch possible fraudulent transactions. The company’s AI systems generate a flag for every transaction and give it a risk score which can then be evaluated by the ecommerce company. 

Update | 12:47, Nov 29, 2019

In response to an Inc42 query, Flipkart spokesperson said, “We are yet to receive specific information on the investigation that was conducted by the Noida police.”

“Flipkart Group is absolutely focused on maintaining the safety and security of our customer data and have robust systems and controls in place to safeguard data. The company has a strong information security process aligned to global industry standards such as ISO 27001, PCI-DSS,” the company added.

In order to prevent any more such incidents, the company claimed to be running awareness campaigns across various media and social channels, educating and cautioning customers on this industry-wide problem of fraudulent offers made via SMS, email, or other mediums, we drive awareness campaigns.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.