Shipyaari, a Mumbai-based software company, which also offers shipping logistics to major consumer brands, has reportedly exposed the personal data of its customers due to a months-long spill of its internal shipment information.
Shipyaari Exposed Customer Data
According to TechCrunch, the exposed data was discovered by security researcher Ashutosh Barot. The data included the customers’ names, addresses, phone numbers, order invoice amounts, and delivery status.
Barot said that Shipyaari’s client tracking page was not password protected and could be viewed by anyone who had the web address.
Barot told TechCrunch in an interview that the exposed data could later be used to “perform targeted social engineering attacks and even financial frauds.”
Also Read: WhatsApp Sues Indian Government for Alleged Privacy Violation in New Internet Rules
The researcher called Shipyaari about the data exposure back in 2021, and the company promised to fix it to protect its customers.
Some changes were made, but the company did not fix the exposure. It was eventually fixed in July after TechCrunch reported that it had reached out to the company about the security incident.
How Shipyaari Fixed the Exposure
Shipyaari fixed the exposure by removing customers’ personally identifiable information or PII from the tracking page and restricted its access with a one-time PIN or OTP system. The company later updated the system to limit fraudsters from launching automated attacks.
Vishal Totla, the founder of Shipyaari, told TechCrunch in an email that data privacy is “of utmost importance” to them, and they will ensure that this incident will “not occur in the future.”
Totla said that the PII data of its customers would no longer display on the page while loading.
Shipyaari claims to handle more than 5,000 shipments on a daily basis. The company also has more than 6,000 active sellers across India, according to Business Traverse.
Barot underlined that the country needed strong data privacy laws to help limit the growing instances of data exposures and leaks.
In early August, the Indian government withdrew the long-anticipated Personal Data Protection Bill that was promoted to bring stringent rules to help protect the privacy of its citizens.
The legislation alarmed tech giants and raised privacy concerns about how they could manage sensitive user information.
India’s Privacy Bill
According to Reuters, India’s government withdrew data protection and privacy bill, which was first proposed back in 2019 and had alarmed tech giants like Facebook and Google. The government announced that it was working on a new comprehensive law.
The 2019 law had proposed stringent regulations on cross-border data flows and proposed giving the government powers to seek user data from companies, seen as part of the stricter regulations presented by Prime Minister Narendra Modi against tech giants.
The Indian government notice said the decision came as a panel’s review of the 2019 bill suggested by several amendments, leading to the need for a new, more comprehensive legal framework. The Indian government will now present a new bill.
Ashwini Vaishnaw, the IT minister, told Reuters that the government has begun drafting the new bill. The new bill is set to be approved and made into law by 2023 in the parliament’s budget session, which usually runs from January to February.