Once again, Flipkart-owned online travel aggregator Cleartrip has been the victim of a data breach. However, this time is unlike the hack in 2017, when the hacker group Turtle Squad hacked and defaced its website for a few minutes.
This time, Cleartrip has been hit with a massive data breach in its internal servers, and the hacker(s) seem to have made with a decent amount of data, which has been claimed to be posted on the dark web on a private, invite-only forum.
“This is to inform you that there has been a security anomaly that entailed illegal and unauthorised access to a part of Cleartrip’s internal systems,” the 16-year-old company informed its customers in an email.
It maintained that while some personal details of its consumers were vulnerable and part of customer profiles had been exposed due to the “anomaly” in its systems, no sensitive information had been compromised. Nonetheless, it is better to be safe than sorry, and Cleartrip clearly feels the same. It suggested its customers to reset their passwords as a precautionary measure.
The exact nature of the stolen data has not been revealed, not has the company shared further details about the “security anomaly” it detected in several of its internal systems.
However, security researcher Sunny Nehra shared a screenshot of hackers on Twitter that depicted the sale of Cleartrip data by hackers on the dark web. “The screenshot as was posted by the threat actor (on private forum) to sell the data. As can be seen: the breach is new, customer entries info as well as internal company files are there,” his tweet read.
The data in question seemed to contain not only revenue and sensitive information of customers, but also “GST on advance working” and suggested that an insider was involved in the massive data breach.
For its part, the online travel aggregator’s information security team has joined forces with an external forensics partner in order to tackle the issue. It has also reached out to the proper authorities and will be taking further legal action against the hackers.
Cleartrip has also informed CERT-In (the Indian Computer Emergency Response Team) about the breach within six hours, in accordance with the guidelines given by the same last month. This is also the first significant data breach in the country that has been unveiled since the rules and guidelines were announced.