Online restaurant guide and food-delivery firm Zomato Media Pvt. Ltd has suffered a massive security breach with about 17 million users' records stolen from its database, the company said in a blog post on Thursday.
The stolen information has users' email addresses and hashed passwords, the blog read. However, no payment information or credit card data has been leaked, it added.
Deepinder Goyal, co-founder and chief executive of Zomato, also tweeted in an effort to assure customers. "Your credit card info, and your addresses are fully safe and secure." He said he still has his credit card on file on Zomato.
A company spokesperson clarified to VCCircle that the attack had "nothing to do with WannaCry or Ransomware" that hit the cyber world earlier this week and affected millions of computers across the world.
Though the time of the data breach is not clear, Zomato assured that users' passwords were safe. "Although user names and email addresses were accessed...the passwords are hashed and salted. This means they can’t be converted back to the original password," the post said.
In the meantime, the company has reset the passwords for all affected users and logged them out of the app and website as a security measure. Over the next couple of days, Zomato will be ramping up its security systems. "We will add a layer of authorisation for internal teams having access to this data to avoid any human breach," the company explained.
The company has close to 120 million users.
Certain media reports said, citing cyber security blog HackRead, that a user by the online handle of 'nclay' claimed to have hacked Zomato and was looking to sell user data on a popular Dark Web marketplace. He has priced the whole package at $1,001.43 (BTC 0.5587), with BTC standing for bitcoins.
In May last year, social media was abuzz with reports that Indian Railway Catering and Tourism Corporation (IRCTC), India’s biggest e-commerce player by revenue, was a victim of cyberattack, with data of around 10 million customers allegedly stolen from its servers. An official statement issued by the ministry of railways later said thorough investigations had been conducted but no such hacking incident has been detected by the technical teams of Centre for Railway Information Systems (CRIS) and IRCTC.
Meanwhile, the government has taken cognisance of the vulnerability of e-commerce transactions to cyber crime and fraud.
The ministry of electronics and information technology (MeitY) is drafting a policy on mobile wallets and mobile banking to mitigate the risk of cyber fraud. Besides, to instill confidence among those who conduct digital transactions, the government is also considering insurance protection against cyber-crimes.
In January, media reports had said the government was looking to introduce insurance for transactions done through e-wallets.