As the world goes online, and hackers continue to farm user data for nefarious purposes, the need for data protection has become one of the biggest challenges facing the modern world. Thus, tech companies have been trying to strengthen their defenses by providing better security to their users and ensuring that their data stays safe. Thus, when a massive data hack hack happens, it becomes a cause for grave concern. India’s second-largest stock broker (in terms of customers) Upstox has become the latest victim, after MobiKwik, Facebook, LinkedIn, and others, after its security systems were breached by hackers, who stole KYC and other data of about 25 lakh (2.5 million) customers.
Post the breach, Upstox reached out to its customers assuring them that their shares and funds are safe and that it has enhanced the security system at its servers.
Upstox added that it has taken appropriate steps and informed the authorities.
According to security researcher Rajshekhar Rajaharia, one of the several web security analysts who tweeted about the breach earlier, the stolen data includes the Aadhaar, PAN, passport, bank account numbers, mobile numbers, and even the photos of signatures.
This is a massive cause for alarm, as hackers or other parties can impersonate users using this data and complete transactions on their behalf without the knowledge or consent of the users.
Rajaharia said that a compromised Amazon Web Service (AWS) was the reason behind the data breach – the same vulnerability that was exploited in the data breach of MobiKwik earlier. According to him, the hacker group ShinyHunters, which is said to be responsible for various data breaches of Indian firms like BigBasket and JusPay, is behind the recent data breach as well.
Following the breach, Upstox restricted access to the impacted database, added multiple security enhancements at all third-party data-warehouses, set up real-time, 24×7 monitoring, and “ring-fenced” its network. “As a matter of abundant caution, we have also initiated a secure password reset via OTP,” CEO Ravi Kumar said. “We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories,” he added.
If you are a Upstox user, rest assured that your funds and shares are safe, according to Upstox. Funds can only be withdrawn to the linked bank account, and your shares are held with the depositories – either the Central Depositories Services India Ltd (CDSL) or the National Securities Depository Ltd (NSDL) – and not with Upstox.
A company spokesperson informed that Upstox has appointed a leading international cyber-security firm to investigate the matter. “Upstox takes customer security extremely seriously. We don’t know with certainty the number of customers whose data has been exposed,” they added.
Delhi-based Upstox, which allows its customers to buy and sell shares, is backed by investors like Tiger Global and Tata, has revealed that it has enhanced its bug bounty program to encourage ethical hackers, who will stress test its systems and protocols and help it identify any vulnerabilities from time to time. It is also one of the official partners of the Indian Premier League (IPL).
Reacting to the data breach, Upstox wrote on its website, “We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database.”
Meanwhile, the company has urged its customers to follow practices like using unique passwords and not sharing OTPs with others, while simultaneously urging them to beware of online fraud and double-check the legitimacy of links and senders, to watch out for OTPs that they have requested and to alert the service provider in such events.