In a statement, trading app Upstox has alerted customers of a security breach that exposed their contact data and know-your-customer details (KYC) details. Upstox spokesperson said that they don’t know with certainty the number of customers whose data had leaked, but confirmed the leak took place since a portion of data was published on the dark web.
Upstox is an Indian fintech company that offers innovative investment options and provides securities brokerage and stock trading services. Upstox has over three million users and is backed by investors like Tiger Global and Ratan Tata.
The fintech firm assured its customers that their funds and securities are safe.
“Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP. Through this time, we have also strongly fortified our systems to the highest standards,” Upstox co-founder and CEO Ravi Kumar said in an announcement on the company website.
This breach comes closely after reports of massive data leaks at Facebook, LinkedIn, and MobiKwik.
Upstox has involved a third-party company to help with the investigation:
“On receipt of e-mails claiming unauthorised access into our database, we have appointed a leading international cyber-security firm to investigate possibilities of breach of some KYC data stored in third-party data warehouse systems. This morning, hackers put up a sample of our data on the dark web,” a company spokesperson said in an e-mailed statement.
As a proactive measure, the company has implemented security measures at the third-party warehouses, real-time 24×7 monitoring, and additional ring-fencing of its network.
“As a matter of abundant caution, we have also initiated a secure password reset via OTP for all Upstox users. Upstox takes customer security extremely seriously. Funds and securities of all Upstox customers are protected and remain safe. We have also duly reported this incident to the relevant authorities,” the company’s spokesperson said.
The company said it also expanded its bug bounty program to encourage ethical hackers to stress-test its systems to help it identify vulnerabilities early.
The company reminded customers to always use unique strong passwords and to beware of online fraud.