Lessons from Justdial ‘data breach’
At a time when services are rapidly digitising in India, enterprises are witnessing a rise in cases of sensitive data exposure risks and breaches.
Peerzada Abrar and Yuvraj Malik report.
On April 12, security researcher Rajshekhar Rajaharia was at home, surfing the Web.
He landed on the Web site of Justdial, a provider of local search for different services.
Rajaharia works with several law enforcement agencies to solve cyber security cases.
He immediately realised something was wrong.
He found the APIs (application programme interfaces) of the tablet version of Justdial’s Web site was exposed — this made the personal information of 100-odd million users ‘publicly accessible’.
This included information such as names, e-mail IDs, mobile numbers, genders, dates of birth, addresses, photos and occupations of the users.
“Anyone having access to it (APIs) can grab all the data,” says Rajaharia. “I immediately tried to reach the firm to alert them, but didn’t get a response immediately.”
In fact, said Rajaharia (he is from Rajasthan), he didn’t get any response for five days.
On Thursday, April 18, the firm told him the issue had been fixed.
However, it did not ask him if “there were any other vulnerabilities” on the Web site that needed to be addressed.
“They still have an OTP-related API which is publicly accessible,” says Rajaharia.
In a stock exchange filing, Justdial said there had been no data breach of the 100 million users.
All sensitive user information were protected in line with industry practices.
‘Further, the majority of Justdial platforms work on OTP-based authentication,’ the company stated.
The firm said it stored the financial information in a double-encrypted format, regularly audited by a PCI DSS (Payment Card Industry Data Security Standard)- compliant auditing firm.
‘This vulnerability which existed on the older app platforms is also now fixed. Newer (current) versions of the app, where the majority of users are available, do not have the above vulnerability,’ the firm said.
Justdial says it has implemented adequate encryption for the older APIs which were impacted.
While regular audits are conducted, it has also initiated an independent tech-audit to identify existing vulnerability.
Experts say at a time when services are rapidly digitising in India, enterprises are witnessing a rise in cases of sensitive data exposure risks and breaches.
By industry-best practice, service providers need to perform an annual audit of their security set-ups.
“Many firms are not doing it and, unfortunately, from the regulatory side, there is no enforcement action,” says Salman Waris, managing partner at Delhi-based technology law firm TechLegis Advocates & Solicitors.
Also, there is a lack of awareness among users about data security and privacy.
“Generally, consumers even don’t get to know that their personal data were (exposed),” adds Waris.
Experts say a breach does not necessarily mean that data was indeed stolen and misused.
In many cases, companies have admitted to data being ‘exposed’ previously, with potential to be downloaded.
This January, State Bank of India admitted it was using an offsite server for an SMS-based account information-fetching service, which previously might have been left exposed.
KrebsOnSecurity also reported that hackers had compromised IT services firm Wipro’s systems and used these to launch attacks on some of its clients.
Source: Read Full Article