A day after Web-based food and restaurant aggregator Zomato reported a security breach and hacking of its data, including account information of 17 million customers, it sounded an 'all-clear' and reassured users of no damage done.
The breach was first detected by HackRead, a website devoted to security breaches and confirmed by Zomato on Thursday.
A few hours ago, Zomato said it had got in touch with the hacker who used the name 'nclay'. He had cooperated with Zomato and taken down the link in the Net's underworld marketplace where the hacked data was on sale for about a thousand dollars.
The paltry amount, considering Zomato admitted some 6.6 million user names, IDs and passwords had been stolen (and not 17 million, since the majority used their Facebook or Google IDs) suggests that the hacker was non-serious in making money from the cyber heist or only used the sale offer post as a bargaining chip.
Zomato says he sought a bug bounty programme (where ethical hackers are rewarded for pointing out flaws in corporate web operations) and has promised institute just such a programme. Its current bug report programme on HackerOne offers no monetary reward, just a pat on the back, so clearly the un-named hacker is looking for something more concrete—and pocket-jingling.
In a Twitter post, Zomato founder Deepinder Goyal assured users, "Your credit card info and your addresses are fully safe and secure". However, in abundant caution, it recommends that customers change passwords anyway especially if they are the same across multiple services.
The Zomato blog where the company earlier posted these updates was not accessible till 3 pm when this report was filed on May 19, possibly taken down due to heavy traffic.
Questions remain
While Zomato seems to have managed the immediate crisis, some questions remain unanswered. Ethical hackers usually work in cooperation with the target enterprise. For example, the Election Commission has said it would shortly organise a legal session for hackers to try and breach the Electronic Voting Machine. In the Zomato case, the company seems to have been caught by surprise by the hacker. What sort of deal did they do to have him cooperate? 'Bug Bounty Programme' seems to read like a euphemism for some sort of pay-off.
Consumers have some learnings too: If you regularly buy services on the Web, it is better to use a separate credit or debit card or an e-cash service for the purpose, and set the maximum balance or credit limit quite low to limit any potential damage. Because, in the very tentative state of India's cyber laws, recovering one's losses due to the possible negligence of an e-commerce entity may be a long and tortuous process.
For enterprises functioning in today's hostile e-security environment, such breaches can happen no matter how high the firewalls. It may be in everyone's interest if online entities test the strength of their cyber defences in controlled hacks, rather than let someone hack first, negotiate later.
*Zomato is a restaurant search and discovery app, providing in-depth information for over 1 million restaurants across 23 countries. Zomato is used by consumers globally to discover, rate, and review restaurants, as well as create their own personal networks of fellow food enthusiasts
