Indian tech retail giant Poovika leaked over 8m sensitive data records via unsecured cloud database

Poorvika, one of India’s largest tech retailers, suffered a significant cyber security incident that compromised the sensitive personal information of more than 8 million customers and employees.

One of the biggest tech retailers in the country, Poorvika is a retailer of top brands like Apple, Samsung, Oppo, Vivo, Xiaomi, OnePlus, Redmi, Realme, and Nokia and has around 500 stores across 43 cities in India.

According to WebsitePlanet, the breach was first identified by security researcher Jeremiah Fowler when he discovered an unsecured database owned and managed by the tech retailer that contained over 8 million documents.

“The publicly exposed documents included highly sensitive personally identifiable information (PII) as well as salary information, detailed employment records, and customer data,” Fowler said.

The compromised information includes employee data such as religion, sex, date of birth, marital status, family dependents, working status, whether they have resigned, and the reason for leaving the job.

Fowler added that the 725.8 GB database contained approximately 8,091,993 records. One of the folders contained 668,243 accounts with names and personal data of customers or app users. Another folder named “All Databases” included SQL backups of Poorvika databases, along with backups of its app and website’s source code.

Other data records stored by Poorvika in the unprotected database included 45,542 Gmail addresses, 53,885 PDF files of tax invoices, and payment receipts that exposed partial credit card numbers, and other data pertaining to both the customers and the company, and HR data files containing employees’ salary and bank account information.

“I immediately sent a responsible disclosure notice to Poorvika, and the database was closed to public access that same day. However, I never received a reply or response from the company regarding my findings,” Fowler explained.

All Poorvika customers and employees are advised to change their passwords and keep an eye on their financial records and other important accounts for any unusual activity. If any suspicious incident is noted, that should be immediately reported to law enforcement.

Earlier this year, a Twitter user claimed that a hacker group going by the name “SiegedSec” gained access to a database from Poorvika Mobiles that contained 15 GB of Poorvika account data, financial information, staff data, PII, and more.

The tech retailer has so far not commented on why the database was left unprotected or whether it was managed by a third party. It is also unclear how long this database was exposed or who else may have gained access to these records.