‘Confident that financial data is secure’: Bigbasket on data breach

Days after online grocer Bigbasket suffered a data breach potentially exposing personal details of around two crore users, Bigbasket has said that it is confident that financial data of users is secure.

The company told TNM in a statement that it learnt about a ‘potential data breach’ a few days ago and is evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and is finding immediate ways to contain it.

Bigbasket has also filed a complaint with Cyber Crime Cell in Bengaluru and said it intends to “pursue this vigorously to bring the culprits to book.”

It added that it doesn’t store any financial data including credit card numbers etc. and is confident that this financial data is secure. The only customer data that it maintains are email IDs, phone numbers, order details, and addresses, so these are the details that could potentially have been accessed, Bigbasket said.

“We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further,” it added.

However, Bigbasket has not yet informed its users if their data has been compromised. As it usual practice, companies inform users if they suspect that their data may have been compromising, advising users to change or reset their passwords.

The data breach came to light on November 7 after Cyber intelligence firm Cyble said in a blog post that a hacker has allegedly put Bigbasket’s data on sale for around Rs 30 lakh on the Dark Web.

“In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data,” Cyble said.

It added that the leaked data includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others.

According to Cyble, the breach happened on October 14, was detected by it on October 30, which was then validated the next day and communicated to Bigbasket’s management on November 1.

This breach comes at a time when the Tata group is reportedly in talks to acquire a majority stake in Bigbasket. Bigbasket, which leads the online grocery space in India saw its user base and order volumes surge amid the coronavirus pandemic, especially in the initial months of lockdown. As per a Hindu BusinessLine report, the company was seeing about 1.5 lakh orders a day even before the COVID-19 pandemic.

It reportedly doubled its sales from February to July 2020 and saw an 80% growth in customer base with average order value growing from Rs 1,300 in February to Rs 1,500. 

Bigbasket is currently operational in Bengaluru, Hyderabad, Mumbai, Pune, Chennai, Delhi, Noida, Mysore, Coimbatore, Vijayawada-Guntur, Kolkata, Ahmedabad-Gandhinagar, Lucknow-Kanpur, Gurgaon, Vadodara, Visakhapatnam, Surat, Nagpur, Patna, Indore and Chandigarh Tricity city.

The online grocer is valued at between $2 billion-$2.5 billion and counts Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and the UK government-owned CDC group as investors.