Behind the data breach at BigBasket

[Image by Darwin Laganzon from Pixabay]

On November 7, 2020, a blog post surfaced on the website of information security firm Cyble Inc: BigBasket, India’s leading online supermarket shopping, allegedly breached. Personal details of over 20 million people sold in Darkweb.

The sum and substance of the post was this:

• A breach occurred on October 14 and Cyble’s team detected it on October 30. They validated the breach and let BigBasket’s management know about it the next day. 
• On November 7, Cyble disclosed to the public that BigBasket’s database was on sale for $40,000 in the cybercrime market. 

As if on cue, the post caught the eye of reporters on the technology beat at most Indian publications.

When we reached out to Hari Menon, co-founder and CEO of Bigbasket, he was fielding calls from media outlets across the country. “There is not much else to add,” he told us. After the fires have been doused, he said, he is amenable to engaging in a conversation.

At Founding Fuel, our interest in the episode was piqued when we learnt that BigBasket had filed a First Information Report (FIR) on November 6, 2020, with the cyber cell of the Bengaluru Police to investigate the incident—a day before Cyble made public details of the breach.  Founding Fuel has seen the FIR. 

It was filed in Kannada. Translated, it reads: “Innovative Retail Pvt Ltd, is a company that sells groceries and stores user information online. Someone accessed this information without authorization and has posted it on the Dark Web. This information was passed on via email by Beenu Arora to Innovative Retail. The accused Beenu Arora, said he was the CEO of a company named Cyble and asked for $70,000 to remove it from the Dark Web. And that in the future he will implement preventive measures from such incidents repeating itself if $1,00,000 is paid to him via bitcoins. He informed this via Google Meet and WhatsApp. Later, Innovative Retail checked its servers and found that on 13-10-2020, someone had accessed user data by hacking illegally. Therefore, this complaint is filed and details are being provided accordingly.”

While Menon confirmed Innovative Retail (the parent company that owns BigBasket) had gone to the police, he was unwilling to answer other questions we had. These were basis conversations with sources in the infosec community. Their narrative has it that the team at BigBasket and Menon were at work to set a precedent for other companies—don’t pay any money.

The FIR insinuated that Menon and the team at BigBasket thought of Arora’s demand as digital extortion.

Infosec analysts we spoke to thought they could hear a deeper narrative in the FIR and suggested we look at the pattern of events leading to the complaint.

• Earlier in May, Cyble reported that details of 22 million users on the Facebook-backed Unacademy, a popular learning platform, had been compromised.
• Then in July, hyper-local delivery firm Dunzo acknowledged its data was compromised. A statement issued by the company said it was working with leading cyber security experts to fix the issue and no sensitive data was leaked. Grapevine in the Infosec community had it that Cyble was involved in some way as well.
• But what got the infosec community’s interest going was when The Economic Times reported in September that Paytm Mall has sent Cyble a legal notice after it reported a data breach. This notice threatened to initiate civil and criminal suits for “making false allegations.”

Founding Fuel attempted to reach out to Vijay Shekhar Sharma, the founder of Paytm. But he declined to comment. Like Menon, he communicated that whatever he has to say is in the public domain.

Conversations with informed sources in the community suggest that Menon at BigBasket and Sharma at Paytm are furious at how things have panned out until now. And that between the both of them, they are at work to convince other entities to form a coalition and to bring Beenu Arora and Cyble down. And to show others in the Indian ecosystem how it can be done, much like Menon at BigBasket, Sharma at Paytm Mall shot off a legal notice.

Their narrative is that if you don’t give in to someone attempting to hold you hostage, entities such as Cyble and people such as Beenu Arora who run it will be run aground.

[By Anmol Shrivastava]

Shooting the messenger?

But, here’s the issue: Why did Menon and Sharma have to go to the police against Arora or threaten legal action against Cyble? Because technically, Cyble has done nothing illegal. It discovered breaches at BigBasket and Paytm Mall, informed the management, and placed the information in the public domain.

If anything, customer data has been compromised and the onus is on entities such as BigBasket and Paytm to let people know about it.

In response to a question from Founding Fuel on Cyble’s motive around making the breach public, an email read: “The underlying intent of the disclosure was public good and in line with people’s right to know. It was intended to keep people informed about the risks associated with their data—Cyble had no expectation whatsoever or obligations in return.”

“There are some grey areas here,” an infosec analyst we spoke to said. As a thumb rule, mature entrepreneurs do not negotiate when compromised. “What is to prevent anyone in possession of your data from making copies after you acceded to their demands?” he asks.

Then there are the terms of the commercials suggested by Arora to BigBasket and articulated in the FIR that makes him uncomfortable.

• If a breach occurred as early as October 13, and Cyble was in touch with BigBasket’s management since November 1, why did Cyble and Arora wait for a week until November 7 to place the information in the public domain? Our conversations with infosec analysts have it that after a breach is discovered, most security firms give firms a lead time of up to one week to fix the breach before they go public. While the narrative put out by Cyble in the public domain (see timeline) suggests it has worked off this timeline, there are differing versions on how exactly did the events unfold. One version has it that Cyble connected with BigBasket earlier to open conversation. But this could not be independently authenticated. 
• Did Arora and Cyble decide to go public about the breach after they had been unambiguously told that their services weren’t required? And that an FIR had been filed with the cyber crime cell in Bengaluru on November 6 accusing Arora of extortion and asking the police to investigate Arora’s role?

In response to a question from Founding Fuel on BigBasket’s allegation that Cyble’s founder Beenu Arora has been named in the FIR for attempting to extract money from BigBasket, Cyble denied any knowledge about it. “At this stage, Cyble is not in receipt of any complaints or communication from any relevant authorities.”

• Cyble offered to retrieve the data, and settle the matter with the hacker, for which it asked to be paid in bitcoins. Now, that’s understandable. But, as the FIR in Kannada seems to suggest, did it also ask to be paid for its own services in bitcoins? That is rather odd. This is a cryptocurrency that Indian regulators are still ambiguous about.
• When we specifically asked Cyble for their version of events, their email reply read, “the said cyber-attack on BigBasket was conducted by an infamous organized hacking group namely – “ShinyHunters”. This has been updated on Cyble’s blog as well.

All of this is grey territory. An attempt to find answers can begin by asking, who is Arora?

Who is Beenu Arora?

Arora’s personal homepage describes him as founder and CEO of Cyble, Inc and a member of the Forbes Technology Council. Cyble’s page on LinkedIn claims it is backed by Y-Combinator whose founders include the legendary Paul Graham.

On looking up Crunchbase, a platform for finding business and information about private and public companies, some rather interesting (and strange) facts emerge.

1.  Cyble is registered in Georgia, US, and has two employees, Arora included, and that it has raised $282,000 until now, from one investor—Singtel Innov8 over five rounds. 

Crunchbase also says its last round of pre-seed funding of $50,000 was as recently as October 2020.

But on looking up the entities that Singtel Innov8 has invested in, Cyble doesn’t figure.

An email seeking details on its sources of its funding met with, “we are a privately-owned organization”. The note was signed by “an authorized representative.”

2. On looking up Y-Combinator’s database of the companies it has engaged with, Cyble does not show up there either. When asked about this, the email response reads, “As of now, Cyble would not put forth any comments.”

3. As for being on the Forbes Technology Council, it is a club to which membership can be availed for $1,200 per annum. Posts members of this club write and get published, are part of their package. The posts, however, are marked as paid. When looked at from the outside though, it lends a stamp of credibility. The ethics of this practice has been the subject of much debate in journalism circles.

Between BigBasket’s FIR and data points such as these in the public domain, it is tempting to conclude Arora is a shady operator and Cyble is a fraudulent entity. But it cannot be legally established yet; nor is it fair to jump to any conclusions yet.

This has to do with that technology is an evolving beast. Once upon a time, the now respectable antivirus software firms such as Symantec and Norton, among others, were accused of creating viruses and using scareware tactics to sell products they create. The courts were called to adjudicate, and class action suits were filed against anti-virus companies such as these in the US. Those cases did not stand to scrutiny and the companies went on to earn millions for their creators. It is another narrative that most are now practically defunct.

“I think Cyble’s business model is like one of those antivirus models. It is built on fear and does not look sustainable to me in the longer term,” says a Mumbai-based software professional who did not want to go on the record.

When probed on why, he offered much perspective. Companies similar to Cyble exist around the world. They make much money exposing vulnerabilities and bringing it to a management team’s notice. Oftentimes, when a company’s data is compromised and finds its way to the Dark Web, people panic. That is when companies such as Cyble offer to negotiate and extricate it from players on the Dark Web and offer to protect the entity from vulnerabilities in the future.

The Dark Web is that part of the internet that is mostly inaccessible to search engines. To place that in perspective, consider a few examples that we looked at.

1. When we started examining this narrative, Cyble had a blog post that articulated in much detail how Haldiram Snacks’ sensitive data was compromised. This included employee salary data. At the time of piecing this narrative together, the page had been taken off its blog. But on looking up Internet Archives, a snapshot of the page where Cyble originally described the incident can be seen. Other press reports have it that ransomware attackers asked Haldiram’s to pay up $750,000 to release confidential data. Infosec analysts suggest Cyble staged the episode to win Haldiram’s confidence. This could not be confirmed independently.

2. What could be confirmed, however, was that the grapevine was right about Dunzo. Cyble had a role to play there. A spokesperson for Dunzo, however, denied any ransom was paid or that they have joined a coalition to get Arora and Cyble.

Chandrika Batra, the company’s spokesperson wrote in an email, “Cyble reached out to us after we had already verified the breach independently. We then proceeded to take the necessary action whether that was vetting a cybersecurity firm or informing users proactively about the same. Cyble did get in touch a couple of days later. 

“We took the decision to work with them based on the recommendations of our peers in the start-up ecosystem as well as an external consulting partner we work with. Both groups made strong recommendations to employ Cyble for the time being until we could bring the situation into a stable state. We employed Cyble's services for threat monitoring for a limited period of time.”

On Arora’s role, Batra said, “The said person did offer Dunzo his services in monitoring the dark web and other sources for any other leak or incidences, to which we agreed upon a project duration of 3 months, which has now ended. This was a purely professional engagement.”

3. The startup ecosystem in Bengaluru has it that Gaurav Munjal, CEO and co-founder of Unacademy, has also thrown his weight behind the coalition to nail Arora. He declined to comment as well.

Perhaps, Munjal has much else on his mind right now. As recently as September, Unacademy raised $150 million from SoftBank at a valuation of $1 billion. News reports of the data breach at Unacademy started to do the rounds in May. Much like Dunzo that has been in fundraise mode since August.

“This is a cat-and-mouse game,” says the Mumbai-based infosec analyst who placed much in perspective for us. “It is inevitable that there will be some vulnerability in your system. Your team has to keep looking all the while and patch it.”

An unfinished playbook

This is something exposure to other parts of the world may have taught Menon at BigBasket and Sharma at Paytm. They have also learnt that negotiations with any actor whose intent is suspect are a lose-lose for the entities they lead. So, they don’t get into it. There is much else they have to deal with.

The intent behind creating a coalition is to stand up as an ecosystem and do a few things together.

1. Start by refusing to negotiate with malafide players. That closes the curtains on anyone trying to negotiate.
2. Share information on breaches with each other and the lessons learnt.
3. Creating bug bounty programmes is commonplace. These are official programmes that offer rewards to anybody who discovers a vulnerability and brings it to their notice, and are part of best practices adopted by entities such as Facebook, Google, Apple, Paypal and even the Pentagon. Early adopters in India include Paytm, Zomato, Yatra, Ola and the Indian government’s Aarogya Setu App.

“What most people in India don’t get is that there is no shame in admitting to a data breach. In fact, that is the smartest thing to do.” The analyst points out that LinkedIn was compromised in the past. Earlier in July, Twitter was targeted.

But the difference is that when entities in other parts of the world are faced with such situations, they go public about it and inform their customers about the breach. Technology professionals in markets such as Singapore, the UK, and the EU work with this principle.

Data protection laws in these countries makes it a regulatory obligation for an entity to inform individual consumers that their data has been compromised. Failure to comply can lead to harsh outcomes that can lead to prison terms for those who are delegated to ensure data confidentiality.

In countries such as India and the US (except California) where such laws don’t exist, entities are not obliged to inform consumers if their data has been compromised.

This absence of a personal data protection law allows companies such as BigBasket and Paytm to get away without informing individual customers about a breach. While both entities can argue no sensitive information was leaked, that argument is a specious one. Because there is a market for this data. 

There was another crucial development that may have weighed heavily on the minds of the BigBasket management. On October 28, three days before Cyble reached out to it, news about BigBasket preparing to sell a majority stake to the Tata group hit the headlines. This transaction is of enormous importance to BigBasket’s future as India’s leading e-grocer, especially at a time when global giants such as Amazon and local champions like Reliance are starting to mount huge assaults to woo the Indian consumer. BigBasket would have been understandably antsy about not letting any bad news scupper the deal or impact their valuations.

Under these circumstances, the decision not to negotiate with Cyble appears bold. The management may have hoped that filing an FIR would deter Cyble from going ahead and disclosing the breach on its blog. That clearly did not happen. And even after Cyble’s post was published on November 7, in the interests of full transparency, BigBasket could have chosen to directly communicate the matter to its customers. It didn’t do that. Instead, it chose to put out a statement to the wire service PTI in response to queries. (The story that PTI flashed on its terminals was carried by most leading publications, including Outlook and Mint that subscribe to its news feed.) 

This seemingly half-hearted attempt at damage control proved counterproductive and the story of the breach made it to the front page of every major newspaper. Not just that, the decision not to reveal the breach to its customers invited criticism on social media and dented BigBasket’s image, for sure.

If only BigBasket and Paytm had walked that extra step and directly disclosed the breach to customers before Cyble put it out on their blog, they could have created history as game changers. 

Still Curious?

• Read: A primer on data breaches
• Read: FF Recommends | How to make your online presence hack-proof
• Read: The race to build a ‘desi’ Super App