Upstox alerts users of data breach; says funds, securities remain safe

Retail broking firm Upstox has alerted customers of a security breach that included contact data and KYC details of customers, but assured users that their funds and securities remain safe.

The development comes close on the heels of reports of data breaches at organisations like MobiKwik, Facebook and LinkedIn.

“On receipt of e-mails claiming unauthorised access into our database, we have appointed a leading international cyber-security firm to investigate possibilities of breach of some KYC data stored in third-party data warehouse systems.

“This morning, hackers put up a sample of our data on the dark web,” a company spokesperson said in an e-mailed statement.

The spokesperson added that as a proactive measure, the company has initiated multiple security enhancements, particularly at the third-party warehouses, real-time 24×7 monitoring and additional ring-fencing of its network.

“As a matter of abundant caution, we have also initiated a secure password reset via OTP for all Upstox users. Upstox takes customer security extremely seriously.

“Funds and securities of all Upstox customers are protected and remain safe. We have also duly reported this incident to the relevant authorities,” the spokesperson said.

The spokesperson further said that at this point, “we don’t know with certainty the number of customers whose data has been exposed”.

Upstox, which is backed by investors like Tiger Global and Ratan Tata, has over three million users.

On the company website, Upstox co-founder and CEO Ravi Kumar said funds and securities of customers are protected and remain safe.

“Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories.

“As a matter of abundant caution, we have also initiated a secure password reset via OTP. Through this time, we have also strongly fortified our systems to the highest standards,” he said.

He added that the company has restricted access to the impacted database, and added multiple security enhancements at all third-party data-warehouses.

The company has also ramped up its bug bounty programme to encourage ethical hackers to stress test its systems and protocols and help it identify any vulnerabilities from time to time.

The company has urged customers to always use unique strong passwords that are different from older versions and to not share OTPs with anyone. It also urged the customers to beware of online fraud and double-check the legitimacy of links and senders, to watch out for OTPs that they have requested and to alert the service provider in such events.

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.

We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor