Bizongo, an online marketplace for B2B packaging needs, confirmed a data breach on Wednesday and said that the company immediately addressed the issue which involved AWS Simple Storage Services (S3), a widely used cloud storage provider for online businesses.
The data breach had allegedly put 2.5 million files with details including customer names, delivery addresses, billing addresses, and phone numbers of buyers at risk. Even payment and financial details, and tracking numbers were left exposed as bills of several client companies were circulating on the dark web. Given that only files were specified, the exact number of customers at risk could not be assessed.
“We had an accidental misconfiguration that led to certain S3 buckets being accessible. We have addressed the same as soon we received the notification from AWS,” a Bizongo spokesperson told TechCircle.
The company was first notified by AWS on December 31, 2020 and the breach was closed before January 8, 2021.
The company also denied storing and risking data of customers and client companies, which include several popular names such as Saso, Jodhpur, Delhivery, Box 8, Bunge, Neolite, snapdeal, Carnival Group, Jio, Cure.fit, Swiggy and Flipkart.
“There is no risk or impact on consumers' data. We are a B2B company and work with clients primarily for their packaging requirements. Bucket that was accidentally misconfigured had been secured on time. We do not hold any customer details of our clients,” the spokesperson said.
Online portal Website Planet wrote in a blog post on Tuesday that one of the data buckets of the Mumbai-based digital supply chain platform was leaked. This bucket, the post said, contained sensitive information about customer transactions and orders, putting “anyone who has received a package via Bizongo, or placed an order with the company is at risk of this data breach.”
The blog post also attached several bills of client companies that were leaked online.
“Bizongo is an online packaging marketplace with a vast network of over 400 clients spanning a multitude of industries, and have delivered more than 860 million packages to date,” the blog post noted.
The six-year-old company works with a network of over 750 manufacturers, and supplies packaging to more than 400 clients.
The spokesperson added, “We have secured the S3 bucket soon after receiving the notification. We have also taken strong measures to prevent such accidental misconfiguration from happening in the future. We take data security seriously and will follow best of security practices to protect ours and our clients' data.”
With this incident, Bizongo joins a slew of other internet companies who had faced similar data leaks in recent months. The latest one being Upstox on Sunday and MobiKwik two weeks ago. The other companies who had faced this include BigBasket, Route Mobile, JusPay, and Chqbook.
But who is buying this data?
According to internet security researcher Rajshekhar Rajaharia, who has been tracking these breaches, the key reason has been hackers asking for ransom from companies to delete leaked data.
“Upstox was asked for $1.2 million in ransom and even MobiKwik was asked for around Rs 60 lakh,” Rajaharia told TechCircle. He added that both of these cases were of high risk as the MobiKwik breach involved credit card details of customers while the Upstox breach had customer signatures leaked.
He added, “Certain companies too buy such data about their competitors. This helps them in saving money on marketing strategies, while giving them a study about their rival’s business.”