Upstox upgrades security systems after data breach alerts

Online stockbroking platform Upstox on Sunday acknowledged a data breach that has potentially exposed an estimated 2.5 million users’ contact information and KYC details.

In a blog post, the company assured users’ funds and securities are protected, and that the security systems have been upgraded.  

“We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems,” Ravi Kumar, co-founder and CEO, Upstox said in a blog post.

He added, “We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP.”

In a series of tweets on Sunday, internet security researcher Rajshekhar Rajharia wrote that approximately 2.5 million Upstox users’ data was affected, as a part of 56 million KYC files allegedly leaked by ShinyHunters.  Details leaked include name, email, date of birth, PAN, bank details and KYC information.  

Rajharia attached screenshots of leaked data with the tweet. According to him, Upstox uses Amazon Web Services (AWS) Simple Storage Service or AWS S3 bucket

Again Huge KYC Leak!! approx 2.5 Million @upstox Users Including 56 Million KYC files alleged leaked by ShinyHunters from UpStox Server. Data Including Name, Email, DOB, PAN, Bank Details, KYC(Passport, PAN, Cancelled Cheque, Sign Pics etc.) #infosec #GDPR #databreach pic.twitter.com/IZQIWVD0MM

— Rajshekhar Rajaharia (@rajaharia) April 11, 2021

The Tiger Global management-backed startup and the second largest brokerage firm in India, after Zerodha, is not the only company to have faced data breach at this scale. Over the past few months, several other large internet companies including BigBasket, Juspay, Mobikwik, Chqbook have faced similar issues.  

“Watch out for OTPs you may not have requested and alert the service provider in such events. Beware of online fraud and double-check the legitimacy of links and senders,” Kumar said.