Swiggy reports two data breaches amidst growing cybersecurity concerns

Swiggy, one of India’s largest food delivery platforms, has revealed details of two significant data breach incidents over the past two years in its updated Draft Red Herring Prospectus (DRHP) report, raising concerns about its data security measures.

 

According to the DRHP, the IPO-bound food delivery giant experienced two cyberattacks resulting in data breaches between 2022 and June 30, 2024. The platform also acknowledged its vulnerability to a wide range of cyber threats, including social engineering, denial-of-service attacks, credential stuffing, ransomware, and malware, in addition to the potential for employee errors or misconduct.

 

The first reported breach occurred in September 2022 during a technical infrastructure update, where customers could view the last four digits of other users’ credit card details or portions of their UPI handles. Swiggy voluntarily reported the incident to India’s Computer Emergency Response Team (CERT-In) despite no formal complaints or financial impact.

 

The second breach in February 2023 involved unauthorized access by a former employee to Swiggy’s test systems, which was quickly detected and addressed. The breach, limited to the testing environment, prompted the company to update its internal policies and file a police report against the ex-employee.

 

Further complicating Swiggy’s security challenges, CERT-In alerted the company in March 2024 about a possible data leak at one of its third-party service providers. Fortunately, the provider confirmed that Swiggy’s data was not hosted on the affected servers, and no compromise occurred.

 

Swiggy acknowledged that future cyberattacks remain possible, emphasizing the growing risks associated with storing more personal data. The company highlighted the potential for reputational harm, financial liability, and the loss of user trust if such incidents occur. Swiggy’s DRHP underscores the need for ongoing vigilance in safeguarding sensitive data, even as it continues to enhance its cybersecurity measures.