Leading online food and grocery store BigBasket on Sunday admitted to a potential breach of its customer data and that it was assessing the extent. “We have lodged a complaint with the Bengaluru Cyber Crime Cell and intend to pursue it to bring the culprits to book,” said the city-based company in a statement to IANS. Also Read - BigBasket website and app crash due to surge in users caused by Coronavirus lockdowns
The Cyber Cell, however, did not confirm receiving the complaint. The 9-year-old etailer is funded by Chinese e-commerce giant Alibaba group, the Mirae Asset-Naver Asia Growth Fund, and the British government-owned CDC group. “As confidentiality of customers is priority, we do not store their financial data, including credit card numbers and are confident that it (data) is secure,” the firm said. Also Read - BigBasket to invest Rs 500 cr to ramp up farmer sourcing, tech
Claiming that it has a robust information security framework, the company said it maintained only email ids, phone numbers, order details and address, which could have been accessed. US-based third-party cyber intelligence firm Cyble claimed in its official blog on Saturday that though the alleged breach occurred on October 14, it detected it on October 30, validated it on October 31, and informed BigBasket on November 1. Also Read - Alibaba eyes more than 30% stake in BigBasket; to invest $300 million: Report
BigBasket provides services in 25 cities and towns across the country, offering to deliver 18,000 products from 1,000 brands through the year.”Online shopping for food and groceries dramatically shot up since April due to the Covid-induced lockdown, restrictions like social distancing and the pandemic scare,” said Cyble in the blog.
“In the course of our dark web monitoring, our research team found the database of Big Basket for sale in a cyber-crime market at $40,000,” it said. The user database is estimated to be about 20 million, with names, email ids, password hashes, pin, contact numbers, addresses, date of birth, location, and IP addresses of login.