The Website Planet security team have identified a worrying data breach within packaging acquisition firm Bizongo, a digital supply-chain platform based in Mumbai, India.
As of late December 2020, our team discovered a misconfigured bucket owned by Bizongo, leaving highly sensitive customer information unsecured and potentially exposed to hackers, and other harmful individuals. Given the size of the breach, there could be over a thousand businesses affected, along with hundreds of thousands of people.
Bizongo is an online packaging marketplace with a vast network of over 400 clients spanning a multitude of industries, and have delivered more than 860 million packages to date.
Anyone who has received a package via Bizongo, or placed an order with the company is at risk of this data breach.
Customer Data Leaked
PII data: Names, delivery addresses, billing addresses, and phone numbers of buyers have been exposed.
Payment details: Bills containing purchase details and financial details of clients, along with shipping tracking numbers and financial data of buyers and sellers.
Bizongo left customer data sitting unsecured on their misconfigured Amazon Web Services (AWS) S3 bucket, a widely-used cloud storage service. For a period of time, the names, addresses, numbers and financial details of buyers and sellers were accessible to potentially harmful third parties.
As a result, 2,532,610 files have been exposed, equating to 643GB of data. Bizongo’s bucket was live at the time of discovery, and contained several files with recent dates.
According to our security team, there were two different types of file stored on the bucket. Customer bills and shipping labels that were left unsecured, as you can see in the examples below.
The exact period of time in which this data has been unsecured is currently unknown. However, we can tell you that the breach was identified and reported on December 30th, 2020. Although we never received a response from Bizongo regarding this data breach, the Website Planet security team checked the bucket again on January 8th, 2021, by which time the breach was closed.
Bizongo works with over 750 manufacturers, and supplies packaging to more than 400 clients. This means that there could be more than a thousand businesses affected.
To know exactly how many people are affected is difficult, given that one business could order to a single address, while another could send packaging to multiple addresses, or make orders through multiple names. There are certainly thousands of people at risk, and considering the scale of Bizongo’s operation, potentially many more than that.
Although India has not yet enacted specific data protection legislation, Bizongo is still culpable for any improper disclosure of personal data. Affected individuals are well within their rights to seek legal action and compensation.
Who Was Affected
Bizongo is a business-to-business brand, meaning that this breach will primarily affect other businesses and not the general public.
Bizongo’s primary focus is to serve Indian businesses, and there is no evidence to suggest that their services reach beyond the borders of India. Though the company has just altered its website domain to ‘dotcom,’ suggesting there is potential for international business.
Known clients of Bizongo include: Saso, Jodhpur, Delhivery, Box 8, Bunge, Neolite, snapdeal, Carnival Group, Jio, Cure.fit, swiggy and Flipkart. There is a possibility that these clients have been affected by the breach.
Any Indian business or packaging supplier that has used the Bizongo platform is also at risk of this data breach. Concerned parties should seek further clarification about their data, and this breach, from Bizongo themselves.
Who Was Leaking the Data?
Bizongo is a B2B online packaging marketplace that streamlines the procurement and delivery of packaging solutions to businesses throughout India. Bizongo connects clients with the products of packaging manufacturers, cutting out the negotiation process. They are a relatively new company, founded in 2015, and currently employ anywhere between 250-500 members of staff.
Thus far Bizongo has delivered over 860 million packages throughout the nation, with packaging solutions supplied across a diverse range of industries – from retail, to logistics, engineering, cosmetics, e-commerce, and many others. Bizongo has raised more than $79 million in funding, with investors pledging $9 million at the start of 2021 (as per crunchbase).
Though the AWS S3 bucket is an Amazon product, Amazon is not responsible for this data breach. The exposure is likely the result of human error on the part of Bizongo, whereby the bucket has been misconfigured.
Impact on End Users
We cannot know for certain whether the unsecured data has been accessed by unethical hackers and scammers. However, there is every chance that the leaked data has been found, in which case there are a number of risks that users should be aware of.
Identity Theft and Fraud – Leaked personal data, like names, addresses and phone numbers, could be used to target victims, and assist in fraudulent activities across several other platforms.
Scams – Exposed phone numbers could be used to target victims with scams. Here, scammers will try to establish trust by using your personal information. They are likely to attempt to con victims into disclosing their bank account details, or other sensitive and personal information.
Business Espionage – Businesses could be targeted by competitors who find out about the leaked user list.
Theft – Available personal information and shipping details mean large quantities of product could be intercepted, and vulnerable to theft.
Impact on Bizongo
Data Privacy Laws
As mentioned before, Bizongo is required to provide an adequate level of security for the data of their clients and partners. Though a breach of this ‘rule’ is not punishable by law (as of yet), affected parties are entitled to pursue legal action, and compensation, if their data is leaked.
Loss of Business
This data breach also potentially damages the reputation of Bizongo, with a loss of business a common result.
Bizongo’s failure to properly secure the data of clients and associated brands posits them as an untrustworthy organization. Businesses looking to try out the platform could now avoid Bizongo altogether.
If Bizongo cannot ensure the safety of its clients and partners, those existing clients and partners may also look to carry out their business elsewhere.
This is the act of using espionage (spying) to gain a commercial, or financial advantage over business competitors.
The data breach opens Bizongo up to this kind of threat, along with all of the suppliers and clients that had their information exposed. Hackers may be able to pose as a member of the business, or a client, to access confidential information like accounts, or even trade secrets.
Competitors will be able to steal information, and with access to price points and client details, easily undercut and undermine the business operations of Bizongo.
Status of the Data Breach
The breach was discovered on December 30th, 2020, and we informed Bizongo of the breach on the same day. We also disclosed the breach to AWS on January 2nd, 2021.
Bizongo did not respond to our efforts to reach out. Our security team checked the status of the bucket again on January 8th. Thankfully, the bucket was found to be secure, and the breach was closed.
With clear examples of branded shipping labels and customer receipts, finding the owner of the breached database was reasonably straightforward. All of the exposed data was identified as accurate, with the data belonging to real individuals.
Protecting Your Data
Being on the wrong end of a data breach is unfortunate, and not particularly pleasant. Nonetheless, there are steps you can take to minimize the risk of fraud, scamming, phishing or espionage.
First of all, if you fear that your data is being kept on an unsecured database, you can request that your data be deleted. Simply get in touch with the company in question and ask them to take you off their database. They will have to comply, in accordance with privacy standards.
You should also be extra vigilant when conversing with unknown parties over the phone, or email. If an untrustworthy party asks you to click a link, or download a file, refuse to do so until you can be absolutely certain that this is a legitimate interaction, and not a scam. Ask for proof of auditing where necessary, and even consider implementing additional security procedures in the future.
Similarly, you should be wary of unknown parties asking an excessive amount of questions about your business operations. You can safeguard against additional attacks from hackers, or competitors, by ensuring that your own databases are safe and secure.
We recommend that you hire a cybersecurity professional to be sure that your databases are guarded against harmful individuals.
How and Why We Report on Data Breaches
We want to help our readers stay safe when using any website or online product.
Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.
We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.
By reporting these leaks, we hope to make the internet a safer place for everyone.
Website Planet is the number one resource for web designers, digital marketers, developers, and businesses with an online presence.
Our team of ethical security research experts uncovers and discloses serious data leaks as part of a free community service we perform for the web at large.