India’s Largest Tech Retailer Suffered a Massive Data Breach, Affecting Employees and Customers

Recently, security researcher Jeremiah Fowler discovered and reported to WebsitePlanet a non-password protected database containing over 8 million documents related to India’s biggest tech retailer. The publicly exposed documents included highly sensitive personally identifiable information (PII) as well as salary information, detailed employment records, and customer data.

The unsecured database contained the name Poorvika throughout the records and file names. The records contained employee data such as religion, sex, date of birth, marital status, family dependents, and other PII. The records also indicated if they were still employed, terminated, or if they quit, and the reason for their departure (e.g., personal problems or health and medical reasons). I immediately sent a responsible disclosure notice to Poorvika, and the database was closed to public access that same day. However, I never received a reply or response from the company regarding my findings.

According to its website, Poorvika is the largest tech retailer in India, which specializes in mobile phones and mobile-related accessories. Poorvika was founded in 2004 and has since grown to become one of the largest mobile retailers in the country, boasting over 500 stores across 43 cities. Poorvika also has an online portal that sells smartphones, laptops, computers, smart devices, and tech accessories. The company claims to be India’s leading retailer for top brands like Apple, Samsung, Oppo, Vivo, Xiaomi, OnePlus, Redmi, Realme, Nokia, amongst others.

What the database contained:

Total number of records: 8,091,993 with a total size of 725.8 GB.
The database contained a folder named “All Databases”, which included SQL backups of Poorvika databases, as well as backups of its app and website’s source code.
One folder contained 668,243 accounts with names and personal data of what appeared to be customers or app users.
In a limited search of a single human resources backup folder, there were also business and personal employee email addresses; when running a search query for Gmail accounts, the single folder contained 45,542 Gmail addresses.
Internal records included 53,885 PDF files of tax invoices, payment receipts that exposed partial credit card numbers, and other data pertaining to both the customers and the company itself.
Human resources files contained employee data, including salary and bank account information.

poorvika report 1 — This screenshot shows a scanned Poorvika business registration document that was publicly exposed. The database also contained what may possibly be confidential and/or restricted documents such as rental agreements.

poorvika report 3 850x350 — This screenshot shows employees listed by job title as well as their family connections, date of birth, and more.

poorvika report 2 — This screenshot shows the full scope of the extensive data exposure. It also shows the structure of Poorvika’s business and how digital assets are collected and organized into separate folders.

❮❯

Apparently, this is not the first data-exposure incident involving Poorvika. In March 2023, a Twitter user claimed that the SiegedSec hacker group purports to have obtained a database from Poorvika Mobiles, a retailer based in India. The alleged database includes 15 GB of Poorvika account data, financial info, staff data, PII, and more. This volume of data is smaller compared to the 725.8 GB that I discovered was publicly available to anyone with an internet connection.

PoorVika Report — This screenshot shows a Tweet suggesting a different, smaller database was reportedly compromised. To the best of my knowledge, this was not connected to the full company database that, according to my findings, was publicly accessible. The Tweet was posted on March 20th, and I reported my findings on April 19th – almost one month to the day. There was no official response from Poorvika on either instance.

The risk of exposed source code.

Leaked source code poses a significant risk, particularly if the code is usually proprietary or confidential. If the source code is proprietary, exposing it can lead to intellectual property theft, where others could use or modify the code without permission or compensation. Exposed source code can also reveal potential security vulnerabilities, allowing hackers to identify and exploit weaknesses in the system or insert malicious code. This could lead to future data breaches, unauthorized access to systems, and other security incidents. Another hypothetical risk is that, if a competitor gained access, they could potentially use the information to develop similar products or services, thereby possibly eroding a company’s competitive advantage. I highly recommend that any company that collects and stores their data in the cloud take measures to protect their source code. This can be done by following various security standards, such as using secure coding practices, implementing access controls, and conducting regular security assessments to identify potential vulnerabilities.

Employee and customer data breach can be a significant risk.

Data breaches which involve employees and customers may result in the theft or loss of sensitive information, such as personally identifiable information (PII), financial data, health information, and more. This information can be exploited in a number of ways by malicious actors. For instance, exposed internal records (such as employee bank account details) could potentially allow criminals to steal identities, commit fraud, or carry out a wide range of other illicit activities. Identity theft could also potentially allow malicious actors to impersonate someone and gain access to sensitive accounts, obtain credit or bank details, or even open new credit accounts in their name.

Exposed email addresses could be a potential target for phishing scams, where fraudsters try to use insider information to trick people into giving away more sensitive information, such as passwords or credit card details. Social engineering is another serious risk associated with exposed data, as criminals could see job titles and target specific employees – from senior executives all the way down to sales representatives. Once criminals gain the trust of these individuals, they could attempt to get access to sensitive information or systems. These types of fraud can be easy to perpetuate when using insider information that only an employer would know.

We are not implying any wrongdoing by Poorvika. Furthermore, we do not suggest that employees or customers were necessarily at risk due to the public exposure of the database. It is unclear how long this database was exposed or who else may have gained access to these records, documents, and code. We publish our findings for educational purposes – to provide real world examples of potential security flaws and risks to individuals.

What you can do if your data was exposed.

We recommend that individuals who suspect they have been involved in any data exposure be on the lookout for any suspicious activity. If you are concerned about your data security following this event, here are some steps you can take:

Change your passwords: For Poorvika or any other accounts where you might have used the same password.
Monitor your accounts: Keep a close eye on your financial records and other important accounts for any unusual activity.
Be wary of phishing attempts: Be extra cautious when you receive any unsolicited communications requesting your personal information or credentials.
Consider identity theft protection services: These services can monitor various databases to detect if your personal information is being traded or sold.
Update your security questions: If you used similar security questions/answers across multiple sites, update them so they are unique for each site.