Aditya Birla Apparel & Retail Ltd (ABFRL), India's leading fashion firm, suffered a data breach on its portal that exposed the private details of both its customer and employees.
Earlier this week, it was reported that the firm's 5,470,063 ABRFL accounts were compromised and the ransom demand made by the hacker gang called ShinyHunters was purportedly turned down. As a result, the information was made public on a famous hacking forum.
Additionally, the reports claimed that the leaked information included customer information including names, phone numbers, addresses, dates of birth, order histories, credit card details, passwords, and details of employees, including salary details, religion, and marital status.
Server logs and vulnerability reports for ABFRL Indian apparel labels American Eagle, Pantaloons, Forever21, The Collective, Van Heusen, Peter England, Planet Fashion, and Shantanu & Nikhil are among the leaked information.
As per the report of Restore Privacy, the compromised database contained ABFRL client data, hundreds of thousands of invoices, as well as the company's website source code and server statistics.
In a letter to its customers, the company said it is investigating a breach and assure its customers that no private information was leaked. “There was an information security incident entailing illegal access to customer (data)base and profile Info of some customers (was) released In some cyber forums. As a precautionary move, the company has reset all client passwords and enabled OTP-based authentication, as well as taken further steps to secure access to customer and employee information," the company’s representative stated.
ABFRL, which reported a revenue of Rs 5,181.14 crore in the previous financial year, claims to be the country's largest "pure-play fashion powerhouse with an elegant bouquet of leading fashion brands and retail formats".
At the end of the second quarter of the ongoing fiscal, the company boasts of a network of 3,264 stores across approximately 26,841 multi-brand outlets. It has a repertoire of leading brands, such as Louis Philippe, Van Heusen, Allen Solly and Peter England, along with India's largest value fashion retail brand Pantaloons.
Cybersecurity researcher Rajaharia noted that the hacker group was claiming that ABFRL was storing its passwords using message-digest algorithm 5 (MD5), which is a dated algorithm.
“The company should constantly update its algorithms as otherwise; the affected users would not be able to secure their data even after changing their passwords. The hacker group would easily be able to gain user data access again by exploiting the vulnerabilities of the dated hashing algorithm,” the researcher said.