Data breach at Tata Sky and Croma; up to 22 million users affected

A cybersecurity report mentions that Tata Sky and Croma, part of the business conglomerate Tata Group, have leaked millions of customers’ personal data due to severe security breaches. The incident perpetrators managed to access sensitive details, including full names, email addresses, dates of birth and even phone numbers of affected users; the attacked companies mentioned that the issues were already fixed by last weekend.

Rahil Bhansali, cybersecurity analyst, detected the security flaws affecting Tata Sky and Croma websites, mentioning that these vulnerabilities impact the complete profile of each user. The researcher posted a report on his Medium blog. Besides the clients’ personal data, Bhansali also detected the security flaws exposed victims’ subscription details, including users’ IDs, date of subscription, transactions history and even some confidential data related to the use of Tata Sky and Croma.

About the number of affected users, the researcher considers that up to 22 million website subscribers are involved by anyone who with coding and API knowledge, nonetheless, the experts thinks he is not able to determine whether a malicious actor actually accessed to the exposed information.

It seems the vulnerability was detected with the running of a simple script using several phone number entries. After detecting the errors, the expert reported his findings to the developers of the affected websites: “I have researched the platforms like Jio and Vodafone, finding similar flaws”, mentions Bhansali.

A few days later, a Tata Sky spokesperson issued a statement regarding the report: “We are monitoring our networks and implementing additional security measures to make sure no further intrusion is active”. The company mentions that they rely on automated software solutions and a security alert system to prevent any incident that could lead to customers’ data breach.

On the other hand Ritesh Ghosal, Croma’s CMO, mentioned that the security issues reported by the researcher have already been addressed: “We have analyzed the findings shared by Mr. Bhansali and have launched the appropriate fixes; these actions should show an immediate effect on our customers’ data security”. Ghosal also alerted his customers about the potential risks of a supposedly upcoming phishing campaign, asking them not to open any suspicious email or text message, as well as ignoring unrequested phone calls related to their services.