Data breach. Data of 100 m JustDial users lay exposed for over a year

Debangana Ghosh Updated - July 28, 2021 at 10:17 AM.

Breach fixed on security researcher’s alert; only audit report can reveal any leak

istock/leolintang

Personally Identifiable Information, or PII, of around 100 million users of local business listing platform JustDial was at risk after an Application Programming Interface (API) was left unprotected for over a year. But a patch now appears to have secured the PII data that included the name, gender, profile picture, email id, mobile number and the date of birth of users

Independent internet security researcher Rajshekhar Rajaharia, who first tweeted about this, on Tuesday, told BusinessLine that after spotting the data breach he had notified the company, and it was patched and resolved immediately.

“The company’s data was exposed since March 2020, though we can’t say yet if they have been leaked. We will only know once JustDial releases an audit report on it,” Rajaharia said. JustDial needs an audit as more bugs might be present in the system, he added.

An email to JustDial seeking its response went unanswered. JustDial became a Mukesh Ambani group company, with Reliance Retail picking 41 per cent stake in it for ₹3,497 crore just 10 days ago. The company offers services such as bill payment and recharge, grocery and food delivery, and bookings for restaurants, cabs, movie tickets, flight tickets, and events.

Not the first time

This is not the first time JustDial’s database has been left exposed. Around April 2019, Rajaharia had found that the same API was exposing user data in real time, as and when somebody would call or message JustDial over its app and website. The company said it had fixed the problem, but it seems to have re-surfaced just a year later. “JustDial never mentions the absolute number of registered users. They share numbers of active users and the merchant base but never the total number because every time somebody calls on the platform’s ‘88888 88888’ number, the caller data immediately gets saved on JustDial’s database. This data, too, is at risk of getting exposed. And, the API in question can track this data in real time. If a hacker manages to get it, he can easily pull out and upload the data of every JustDial user on the Dark Web,” Rajaharia explained.

Since the pandemic broke last year, many popular internet companies and their users have been the target of data breaches and negligence. This includes MobiKwik, JusPay, Upstox, Bizongo, BigBasket, Dominos India and even Air India.

Kapil Gupta, co-founder, Volon Cyber Security, told BusinessLine, “Customers need to be notified about any data leak happening in companies so that they can reset accounts and change passwords to protect their data. Though users can sue, raise a complaint and even ask for damages, under the Right to Privacy or IT Acts, these policies are still open to interpretation. The articulation is not obvious.”

“The proposed Data Protection Bill gives more clarity on accountability of the companies facing a data breach. They have to voluntarily disclose and pay a fine if a data breach happens or they will be punished under the law. But we are still waiting for the DPB,” he added.

Published on July 27, 2021 16:19