Retail broking firm Upstox has warned customers of a security breach that involved contact data and KYC details of customers but convinced users that their funds and securities remain safe.
Indian stock trading firm Upstox has communicated to its users that it has suffered a grave security breach that may have been seen as illegal criminal access to millions of customers’ personal information.
According to the remark posted by Upstoc on its website, it became aware that cybercriminals may have jeopardized its databases after receiving emails from the suspected hackers.
Customers’ names, Date of Birth, Bank Account Information, Contact Information, and million of KYC (Know Your Customer) details appear to have been stolen by the ShinyHunters gang after the group gained access to the firm’s Amazon AWS key.
A breach of KYC data is particularly severe – because it can contain scans of Photo IDs, Passports, ID Cards, and other records that help prove an individual’s address such as utility bills.
This type of information helps financial organizations to determine the true identity of a user, and fight money laundering and the funding of terrorism, but if the information falls into the wrong hands, the data can be abused by identity thieves and scammers.
Security researcher Rajshekhar Rajaharia told Medianama that the ShinyHunters gang was seeking a ransom from Upstox for the stolen data.
In response to the suspected breach, Upstox’s co-founder and CEO Ravi Kumar comforted customers that their funds remain preserved, and said the company was strengthening its security:
“We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP”
Besides, Upstox says it has briefly disabled its desktop trading platforms, Fox Trader, Dartstock, and NEST trader terminal. Users are guided to trade through its website instead. It makes sense to guarantee that you do not use a password for your Upstox account that you are using anywhere else on the net, and do not allow yourself to be deceived into sharing your OTP (one-time-password) code with anyone.
Upstox decides by reminding customers that it takes customers’ security and privacy “very gravely.”