Indian stock trading firm Upstox has revealed to users that it has suffered a serious security breach that may have seen unauthorised criminal access to millions of customers’ personal information.
According to a statement posted by Upstox on its website, it became aware that criminals may have compromised its databases after receiving emails from the suspected hackers.
Customers’ names, contact information, date of birth, bank account information, and millions of KYC (Know Your Customer) details are believed to have been stolen by the ShinyHunters gang after they gained access to the company’s Amazon AWS key.
A breach of KYC data is particularly serious – because it can contain scans of ID cards, passports, photo ID, and other documents that help prove an individual’s address such as utility bills.
Such information helps financial organisations determine the true identity of a customer, and fight money laundering and the funding of terrorism, but if they fall into the wrong hands can be abused by identity thieves and scammers.
Security researcher Rajshekhar Rajaharia told Medianama that the ShinyHunters gang were seeking a ransom payment from Upstox for the stolen data.
In response to the suspected breach, Upstox’s co-founder and CEO Ravi Kumar reassured customers that their funds remain safe, and said the company was strengthening its security:
“We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP”
In addition, Upstox says it has temporarily disabled its desktop trading platforms, NEST trader terminal, Dartstock & Fox Trader. Users are advised to trade through its website instead.
Obviously it makes sense to ensure that you don’t use a password for your Upstox account that you are using anywhere else on the net, and don’t allow yourself to be tricked into sharing your OTP (one-time-password) code with anyone.
Upstox concludes by reminding customers that it takes customers’ security and privacy “very seriously.”