India’s leading fashion company, Aditya Birla Fashion and Retail Ltd (ABFRL) has faced a massive data breach as data with over 5.4 million e-mail addresses have been allegedly scraped from the Aditya Birla Group-owned platform and posted online.
As many as 5,470,063 ABRFL accounts are said to have been breached and ransomed in December last year. The leaked database is said to include financial and transaction details with 21GB of ABFRL invoices.
The alleged database has been made public by a hacker group known as ShinyHunters.
ABFRL has confirmed the incident and said that it is investigating an information security incident that entailed unauthorised access to its e-commerce database. The spokesperson of the company added that there has been no operational or business impact.
He said, “As a pro-active measure, the company has reset passwords of all customers and enabled OTP-based authentication and taken further steps to secure access to customer and employee information.
Rajshekhar Rajaharia, Cyber security expert has also tweeted on this and shared information.
[Alert!] #ShinyHunters allegedly made public 700 GB of data of #AdityaBirlaFashion including 5.4Mn emails, phone. It seems New Year Data Breaches season started in India. Time to change work email’s password. #InfoSec #GDPR #DataProtaction #DataLeakhttps://t.co/uloe1Xcdag pic.twitter.com/etdWdJHHsI
— Rajshekhar Rajaharia (@rajaharia) January 15, 2022
As per the reports, the alleged database includes personal customer information including names, phone numbers, addresses, dates of births, order histories, credit card details and passwords stored as Message-Digest algorithm 5 (MD5) hashes.
The data breach is said to include details of employees including salary details, religion and their marital status. The news of a breach of ABFRL accounts was informed to some affected customers by data breach tracking website Have I Been Pwned.
The hacker group’s ransom demand was allegedly rejected, and the data was subsequently posted publicly on a popular hacking forum.
As per a report by RestorePrivacy, ShinyHunters had access to the ABFRL database for many weeks. According to the report, the information which was allegedly hacked is claimed to include the details of ABFRL employee data like full name, e-mail, birth date, physical address, gender, age, marital status, salary, religion and more.
The data includes server logs and vulnerability reports for ABFRL Indian clothing brands including American Eagle, Pantaloons, Forever21, The Collective, Van Heusen, Peter England, Planet Fashion and Shantanu & Nikhil.
It is also said to have ABFRL customer data and hundreds of thousands of invoices and the website source code of the company and server reports.
Gadgets 360 has reported, “We tried to get in touch with ABFRL. They sent a negotiator but he was just stalling (the offer was more than reasonable for a ‘US $ 45-Billion conglomerate’). So we decided to leak everything for you guys including their famous divisions such as Pantaloons.com or Jaypore.com,” the hackers group noted in the post dated 11 January. However, the exact amount requested for payment is unknown.
