Discount broker Upstox suffers data breach – Aadhaar, PAN and bank account numbers leaked

• Upstox, the second largest stock broker in India, has suffered a massive data breach.
• This breach has exposed user data like Aadhaar, PAN, bank account numbers and more.
• While Upstox did not comment on the data leak, it said it has upgraded its security systems ‘manifold’ on the recommendations of a global cyber-security firm.

Popular discount broker Upstox has suffered a massive data breach that has exposed some important data like Aadhaar, PAN and bank account numbers, apart from other personally identifiable information like mobile numbers and email addresses.

Upstox is a Delhi-based discount stock broker that allows its customers to buy and sell shares. It is backed by Tiger Global and has over 1 million customers.

“We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorised access into our database,” Upstox said on its website, reacting to reports of the data breach.

The company said that despite the data breach, the funds and shares of its customers are safe. This is for two reasons – funds in your Upstox account can only be withdrawn to the linked bank account, and the shares are held with the depositories – either Central Depositories Services India Ltd (CDSL) or National Securities Depository Ltd (NSDL) – and not with Upstox.

With that being said, Upstox users have other things to be worried about. Security researcher Rajshekhar Rajaharia, who had earlier tipped Business Insider about Juspay and MobiKwik data breaches, told us that the Upstox data breach includes Aadhaar, PAN, passport, bank account numbers, mobile numbers and even the photos of signatures.

This data could be used by hackers or malicious parties to impersonate users and transact on their behalf without the users’ knowledge.

According to Rajaharia, the Upstox data breach was executed due to a compromised Amazon Web Service (AWS) key used by the company. He says that the same AWS key vulnerability was exploited in the MobiKwik data breach as well.

Rajaharia shared a data sample with us – the sample revealed user details as reported in the breach. However, we could not verify the authenticity of the sample. The hacking group, ShinyHunter, has taken down the data for now.

Upstox is the latest in Indian companies being targeted by hackers

The Upstox data breach is the latest in a string of Indian companies being hacked – the most recent ones were MobiKwik, Juspay, ClickIndia, ChqBook, WedMeGood, among others.

However, this time around, the Upstox data breach could be a result of its own folly.

SEE ALSO:

The company that processes payments for Amazon and Swiggy has reported a data leak of over 100 million debit and credit cardholders

From FireEye to Twitter to Covid-19 vaccine research ⁠— these were the biggest cyber attacks of 2020