Shipyaaria Mumbai-based software company that provides shipping logistics to major consumer brands has made the personal information of thousands of its customers public over months of wasting internal shipping information.
The exposed data, discovered by security researcher Ashutosh Barot, including names, addresses, phone numbers, order invoice amounts, and delivery status of Shipyaari customers. According to Barot, Shipyaari’s customer tracking page was not password protected and could be viewed by anyone who had the web address.
“The exposed information can later be used to carry out targeted social engineering attacks and financial fraud,” Barot told toptecheasy.com.
The researcher initially contacted Shipyaari about the exposure in October 2021, and the company promised a resolution in December. Some changes have been made, but the exposure has not been restored. It was finally resolved in late July after toptecheasy.com made contact with the security incident.
“I appreciate Shipyaari for solving the problem and implementing recommendations,” Barot said.
Shipyaari resolved the exposure by removing customers’ personally identifiable information (PII) from the tracking page and restricting access with a one-time PIN system (OTP). Later, it updated the system to prevent malicious attacks from launching automated attacks.
“Data privacy is of the utmost importance to us and we will ensure that such cases do not occur in the future,” said Vishal Totla, founder of Shipyaari, in an email response to toptecheasy.com.
Totla said that customer PII data is no longer displayed on the page during loading.
Shipyaari claims to handle more than 5,000 shipments per day. The company also has more than 6,000 active sellers across the country.
Barot stressed that India needed strict data privacy laws to help curb the growing number of data exposures and leaks.
Earlier this month, the Indian government repealed the much-anticipated Personal Data Protection Act, which was being promoted to introduce strict rules to help protect the privacy of its citizens. The legislation alarmed tech giants and worried about how to manage sensitive user information.
