Bengaluru-based rental company, Rentomojo, which offers furniture, home appliances and electronics to over 1.1 lakh subscribers, has confirmed that one of its databases was breached, which led to a trove of information being leaked online, including personally identifiable information like name, address and date of birth, among others.
Those impacted have also received an email from a cybercriminal group known as Shinyhunters, which were previously also involved in the BigBasket leak of over 20 million customer data records online in 2021. The criminals are threatening to release the data after the company failed to comply with ransom demands.
Rentomojo maintains that the breached database didn’t contain any financial information like credit or debit cards and UPI, so the cybercriminals do not have access to these datasets.
The company says the database was breached by exploiting a “cloud misconfiguration” and that they’ve initiated an investigation and are taking the help of cybersecurity and legal experts.
In addition to the PR-speak, Rentomojo’s email to its customers read, “Our team identified a security breach that involved unauthorised access to one of our databases. While we are all still investigating, we believe it is our responsibility to inform you first. It appears that the attackers were able to get unauthorised access to our customer data, including personally identifiable information, by exploiting the cloud misconfiguration, thus breaching one of our databases.”
The rental service also told customers in the email that they’ve implemented measures to prevent such incidents in the future, including encrypting information stored in the database (indicating that the leaked information wasn’t encrypted) and MFA (multi-factor authentication) — things that should’ve been in place already and would’ve taken only an insignificant amount out of the crores of funding and debt financing raised by Rentomojo.
In the News: Pakistan-based hackers are trying to hack the Indian government