A suspected hacker has stolen as many as 17 million e-mail addresses from Zomato, a popular food delivery app in India.
Zomato has stressed that passwords and financial information of all users are secure and that the data breach was caused due to human error.
Zomato is a very popular food delivery app in India with over 120 million users and supports as many as 18,000 restaurants. This morning, the company confirmed that 17 million user records were stolen from its database which included e-mail addresses and hashed passwords. The company also confirmed that no payment information or credit card data were stolen or leaked.
Zomato said that the cause of the breach was human error with the hacker gaining access to an employee’s development account. While the hacker has the e-mail addresses in his possession, Zomato stresses that the hashed passwords are of no use to him as they cannot be converted back to plain text since the company uses a one-way hashing algorithm which adds multiple hashing iterations in every password.
Image source: hackread.com
The company also stressed that all payment information including credit card details of customers are stored separately in a highly secure PCI Data Security Standard (DSS) compliant vault and that the hacker has not been able to access the vault. After discovering the data breach, Zomato has reset passwords of all users and has logged them out from its app and website.
According to the Economic Times, the hacker behind the Zomato data breach goes by the name of 'nclay' and has claimed that he/she will sell all 17 million e-mail addresses along with hashed passwords on the dark web for 0.5587 Bitcoins which is equivalent of $1,001.43.
To prevent human error from causing further data breaches, Zomato said it is adding an extra layer of authorisation for internal teams having access to customer data. The company is also enhancing security measures to protect all data stored in its servers.
Back in 2016, statistics obtained by Egress Technologies from the Information Commissioner's Office revealed that human error accounted for 62 per cent of breaches. Of these, 17 per cent of breaches were caused by data being posted or faxed to the wrong recipient, 17 per cent stemmed from the loss or theft of paperwork and nine per cent involved data being emailed to the wrong recipient.
“Human error and data breach incidents continue to go hand-in-hand,” said Egress CEO Tony Pepper. “Time and again we’re faced with this reality and yet as today’s statistics show, little effective action seems to have been taken to improve the situation. Clearly at a board level, mistakes continue to be made as priorities aren’t balanced, leaving companies exposed."