Zomato, India’s largest online restaurant guide, on Thursday (May 18) was hit by a ‘security breach’, when its security team discovered an incident that has resulted in unauthorized access to account information (including name, email address and hashed password) for its 17 million users.
Put simply, it means that Zomato’s ‘payment data’ has been stolen where details of plastic cards are stored. The company, however, claims to have found no evidence of unauthorized access to financial and/or credit card information.
“When payment data is stolen, it becomes easier for hackers to get access to the credit and debit card details,” said Tarun Wig, co-founder of Innefu Labs, a research oriented information security group. “More often than not, people use a single password for using their debit and credit cards for all online transactions. They are at a bigger risk.”
The real and detailed implications of the hacking episode at the Gurgaon-headquartered company will come to light in a few days’ time. Apart from credit and debit card usage, hackers may also start blackmailing users, said IT security experts.
Going forward, it needs to be seen if Zomato will be liable to pay its users a compensation. “While it’s a little early to arrive at any conclusion as the incident has just occurred, there is a regulatory framework in India that makes companies accountable when there is a breach of personal information by the privacy rule notified under Section 43A of IT Amendment ACT 2008, for failure to implement reasonable security practices” said Vinayak Godse, senior director, Data Security Council of India, a Nasscom initiative. However, the laws may not be as stringent and comprehensive as other countries. Similar cases of security breach has gripped companies such as Target, Heartland Payments and E-Sport Entertainment in the past globally.
Zomato officials have tried to allay fears. “All payment information on Zomato is stored in a highly secure PCI Data Security Standard (DSS) compliant vault - no payment information or credit card data has been leaked,” said a company spokesperson, in response, by email.
The team in Zomato is currently scanning all possible breach vectors and closing any gaps in our environment. “And though the hashed password cannot be converted back to plain text, as a safety measure, we have reset the passwords for all affected users and logged them out of the app and website,” the spokesperson at Zomato said.
All the users’ names and email addresses have been accessed and “the passwords are hashed and salted,” the spokesman added.This means it can’t be converted back to the original password. Hashing is a mathematical function designed to turn a password into an unintelligible string of characters, repeatedly but without the possibility of easily being translated back to the source password. Salting is a random, unique string of characters added to a user's password before it is hashed, rendering it likely unintelligible even if the hash is translated.
It was in 2013 when Target Corp had been victim of a massive hack or a data theft where as many as 40 million credit cards were compromised. The Minneapolis-based retailer, later, had agreed to pay a whopping $39.4 million - as compensation - to banks and credit unions in late 2015/early 2016 to settle lawsuits.
According to a joint study by The Associated Chambers of Commerce and Industry of India (Assocham) and consulting firm PricewaterhouseCoopers (PwC), the number of cybercrime cases registered under the Information Technology (IT) Act 2000 increased by about 350 percent from 2011 to 2014.
More recently, India made headlines late last year when it witnessed one of its biggest cyber frauds related to banks, with over 32 lakh debit cards of various public and private sector banks facing threats of breach due to hacking.