Photo Credit: Pixabay
Aditya Birla Fashion and Retail Limited (ABFRL), one of India's biggest fashion retail companies, has become a victim of a massive data breach. Data with over 5.4 million email addresses have been allegedly scraped from the Aditya Birla Group-owned platform and posted online. The alleged database includes personal customer information such as names, phone numbers, addresses, dates of births, order histories, credit card details, and passwords stored as Message-Digest algorithm 5 (MD5) hashes. The data breach is said to include details of employees including salary details, religion, and their marital status.
The alleged Aditya Birla Fashion and Retail database has been made public by a hacker group known as ShinyHunters. The news of a breach of ABFRL accounts was informed to some affected customers by data breach tracking website Have I Been Pwned. As many as 5,470,063 Aditya Birla Fashion and Retail Limited accounts are said to be breached and ransomed in December last year. The hacker group's ransom demand was allegedly rejected, and the data was subsequently posted publicly on a popular hacking forum.
To check if you have been a part of the breach, visit the Have I Been Pwned website and enter your email or phone number. Gadgets 360 has reached out to ABFRL for a comment on the breach. This report will be updated when we hear back.
"It's an enormous amount of data and it includes source code as well," Troy Hunt, the creator of the Have I Been Pwned website, told Gadgets 360. "There's a lot of personal information on customers, but also on staff. I've got no idea why they'd store sensitive PII like religion, along with very personal things like marital status. It's not clear why this would be required in order for someone to fulfil their job."
Hunt also noted that there was a complete lack of disclosure from ABFRL on the matter.
"The data is very extensively circulating on hacking forums yet as far as I know, they've yet to inform customers. That's inexcusable," he said.
ShinyHunters had access to the ABFRL database for many weeks, as per a report by RestorePrivacy. According to the report, the information which was allegedly hacked is claimed to include the details of ABFRL employee data like full name, email, birth date, physical address, gender, age, marital status, salary, religion, and more. It is also said to have ABFRL customer data and hundreds of thousands of invoices and the website source code of the company and server reports.
Gadgets 360 was able to independently verify the existence of the forum post created by ShinyHunters to announce the data leak.
"We tried to get in touch with ABFRL. They sent a negotiator but he was just stalling (the offer was more than reasonable for a 'US$ 45-Billion conglomerate'. So we decided to leak everything for you guys including their famous divisions such as Pantaloons.com or Jaypore.com," the hackers group noted in the post dated January 11. However, the exact amount requested for payment is unknown.
As per the report by RestorePrivacy, the data includes server logs and vulnerability reports for ABFRL Indian clothing brands including American Eagle, Pantaloons, Forever21, The Collective, Van Heusen, Peter England, Planet Fashion, and Shantanu & Nikhil.
The leaked database is said to include financial and transaction details with 21GB of ABFRL invoices. ShinyHunters informed RestorePrivacy that they acquired ABFR customers' credit card data, specifically from Pantaloons. ABFRL staff is said to know that ShinyHunters is in possession of such data.