Upstox, India’s second largest broking firm in terms of number of active clients, disclosed that its databases, including contact details and know-your-customer (KYC) details, may have been breached. The Delhi-based discount brokerage firm, however contended that it has enhanced its security systems at its servers manifold recently, on the recommendations of a global cyber-security firm against a suspected data breach.
The company has assured the clients that their funds and securities are protected and remain safe. Sources suggest that Upstox has suffered a massive data breach that has exposed some important data like Aadhaar, PAN, bank account numbers, cancelled cheques, signatures and photoraphs apart from other personally identifiable information like passport, mobile numbers and email addresses.
In a message posted on its website, Ravi Kumar, co-founder and CEO of Upstox wrote
“We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems.”
He added that they have strongly fortified their systems to the highest standards to immediately restricted access to the impacted database, added multiple security enhancements at all third party data-warehouses, setup real-time 24x7 monitoring and additionally ring-fenced the network. Upstox has expressed regret for the inconvenience and claims to have reported the incident to the relevant authorities.
“As a matter of abundant caution, we have also initiated a secure password reset via OTP for all Upstox users. Upstox takes customer security extremely seriously. We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories,” Mr Kumar said in the message.
On Saturday, several internet security analysts tweeted about the data breach and said that data of 2.5 million users had been leaked. According to sources, the data breach seems to have happened at a third-party data-warehouse and the files were put up on the dark web.
There have been massive data breaches reported over the past few weeks at some companies like Mobikwik, Linkedin, Facebook.
Web security researcher Rajshekhar Rajaharia, shared with Moneylife that the Upstox data breach includes Aadhaar, PAN, passport, bank account numbers, mobile numbers and even the photos of signatures. This data could be used by hackers or malicious parties to impersonate users and transact on their behalf without the users’ knowledge. A ransomware group called ShinyHunters hacked the Upstox system and is understood to have demanded a ransom of US$1.2 million. According to Mr Rajaharia, the Upstox data breach was made possible due to a compromised Amazon Web Service (AWS) key used by the company. He also revealed the reason to be the improper configuration of Upstox’s Amazon AWS S3 bucket, which has been the reason for many data leaks in past. He claimed that the same AWS key vulnerability was exploited in the MobiKwik data breach as well. This data could be used by hackers or malicious parties to impersonate users and transact on their behalf without the users’ knowledge.
Upstox has acknowledged that hackers put up a sample of their data on the dark web but that they don’t know with certainty the number of customers whose data has been exposed.
The company has also ramped up its bug bounty programme to encourage ethical hackers to stress test its systems and protocols and help it identify any vulnerabilities from time to time.
The company has urged customers to always use unique strong passwords that are different from older versions and to not share OTPs with anyone. It also urged the customers to beware of online fraud and double-check the legitimacy of links and senders, to watch out for OTPs that they have requested and to alert the service-provider in such events.
Upstox is backed by investors like Tiger Global and Ratan Tata and has nearly 3 million users and is the second biggest broker in terms of client numbers behind Zerodha.
Over the past few years, discount brokerages like Upstox and Zerodha have grown their client base manifold riding a spike in mobile trading buoyed by easy availability of mobile phones and low broadband data rates and targeting the young under-35 consumer base.
Discount brokerages operate on wafer thin costs of trading and have surpassed traditional big players in the sector like ICICI Securities, HDFC Securities and Kotak Securities.
Upstox last month signed up with Board of Control for Cricket in India (BCCI) to be one of the sponsors of Indian Premier League (IPL). In a series of multimedia campaigns including TV commercials, the company has used insights from everyday situations to highlight the ease of investing through Upstox. Upstox claims to have added over 600,000 demat accounts in the last quarter of FY20-21.