Tata Sky and Croma exposed data of millions even without hacking

Back in December of 2020, Cybersecurity researchers Rahil Bhansali and Ankit Pandey revealed that a small flaw in Croma and Tata Sky’s websites exposed sensitive personally identifiable information to scammers even without hacking.

This information included names, addresses, phone numbers, and purchase history — included personal data of celebrities, popular businesspersons, and doctors, among others. Apart from this data, it also exposed transaction and subscriber IDs, and transaction history.

The researchers listed these vulnerabilities on a 2-part blog on Medium.

Bhansali said on the blog post that the vulnerabilities were due to problems with the Application Programming Interfaces (APIs) at both websites. APIs are a way of accessing data within websites and software but are normally not openly accessible.

This data could be used by cybercriminals and hackers to impersonate identities, scamming, and extortions.

By using details such as name, number, and purchase history, a user can be duped into renewing a warranty or applying for additional services on a fake web page, thereby securing the person’s banking or card details, said Sai Krishna Kothapalli, CEO at Hackrew, to the Economic Times.

As to how these loopholes were found, Bhansali says in his article: “My approach in each case has always been (& will continue to be) to understand the extent of the loophole, exhaust every connect to try and bring it to the company’s notice, have them fix it and then write about it so consumers and companies alike can focus on improving their defences in protecting consumer data, privacy and security.”

Tata Consultancy Services, a Tata group company which is the technology provider to Croma, resolved the issue, said three people aware of the matter. Tata Group companies Croma and Tata Sky said on Thursday that they had fixed vulnerabilities in their websites.



Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More


This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More