Shipyaari, a Mumbai-based software company that offers shipping logistics to major consumer brands, exposed the personal data of thousands of its customers because of a months-long spill of its internal shipment information.
The exposed data, discovered by security researcher Ashutosh Barot, included Shipyaari customers’ names, addresses, phone numbers, order invoice amounts and delivery status. According to Barot, Shipyaari’s client tracking page was not password protected and could be viewed by anyone who had the web address.
“The exposed information could later be used to perform targeted social engineering attacks and financial frauds,” Barot told TechCrunch.
The researcher initially contacted Shipyaari about the exposure in October 2021 and the company promised a fix in December. Some changes were made, but did not fix the exposure. It was eventually fixed in late July after TechCrunch reached out about the security incident.
“I appreciate Shipyaari for fixing the issue and implementing recommendations,” Barot said.
Shipyaari fixed the exposure by removing customers’ personally identifiable information (PII) from the tracking page and restricted its access with a one-time PIN (OTP) system. It later updated the system to limit bad actors from launching automated attacks.
“Data privacy is of utmost importance to us, and we will ensure such instances should not occur in the future,” Vishal Totla, founder of Shipyaari, said in an email response to TechCrunch.
Totla said customer PII data will no longer display on the page while loading.
Shipyaari claims to handle more than 5,000 shipments a day. The company also has more than 6,000 active sellers across the country.
Barot underlined that India needed strong data privacy laws to help limit growing instances of data exposures and leaks.
Earlier this month, the Indian government withdrew the long-anticipated Personal Data Protection Bill that was promoted to bring stringent rules to help protect its citizens’ privacy. The legislation alarmed tech giants and raised concerns about how they could manage sensitive user information.
Comment