![[Hivebrite name] logo](https://d1c2gz5q23tkk0.cloudfront.net/shrine_store/uploads/networks/142/networks/142/large-fec1944271e6a2330a9c4e1215f4f335.webp)
India shipping logistics giant Shipyaari exposed customer data
Shipyaari, a Mumbai-based software company that offers shipping logistics to major consumer brands, exposed the personal data of thousands of its customers because of a months-long spill of its internal shipment information.
The exposed data, discovered by security researcher Ashutosh Barot, included Shipyaari customersâ names, addresses, phone numbers, order invoice amounts and delivery status. According to Barot, Shipyaariâs client tracking page was not password protected and could be viewed by anyone who had the web address.
âThe exposed information could later be used to perform targeted social engineering attacks and financial frauds,â Barot told TechCrunch.
The researcher initially contacted Shipyaari about the exposure in October 2021 and the company promised a fix in December. Some changes were made, but did not fix the exposure. It was eventually fixed in late July after TechCrunch reached out about the security incident.
âI appreciate Shipyaari for fixing the issue and implementing recommendations,â Barot said.
Shipyaari fixed the exposure by removing customersâ personally identifiable information (PII) from the tracking page and restricted its access with a one-time PIN (OTP) system. It later updated the system to limit bad actors from launching automated attacks.
âData privacy is of utmost importance to us, and we will ensure such instances should not occur in the future,â Vishal Totla, founder of Shipyaari, said in an email response to TechCrunch.
Totla said customer PII data will no longer display on the page while loading.
Shipyaari claims to handle more than 5,000 shipments a day. The company also has more than 6,000 active sellers across the country.
Barot underlined that India needed strong data privacy laws to help limit growing instances of data exposures and leaks.
Earlier this month, the Indian government withdrew the long-anticipated Personal Data Protection Bill that was promoted to bring stringent rules to help protect its citizensâ privacy. The legislation alarmed tech giants and raised concerns about how they could manage sensitive user information.