Upstox alerts users of potential data breach, says funds and securities are safe
Brokerage firm Upstox on Sunday disclosed that its databases containing user details might have been breached, adding that it had taken steps to mitigate the issue, inform the authorities and improve its existing security systems. The revelations come shortly after another startup reportedly suffered a data breach involving millions of user’s personal information.
In an announcement made on the company’s website on Sunday, the company stated that it had received information that its database had been accessed without authorisation and that these databases included user’s contact information and their KYC information. However, the company stated that all of their clients’ funds were protected and not affected by the breach. The incident was first reported by the Economic Times.
“We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database,” the company posted on its website. It also said that client funds could only be moved to a linked bank account and that securities were held with the relevant depositories.
We have upgraded our security systems in light of recent events around unauthorized database access. Read more: https://t.co/1axNC83CG6— Upstox (@upstox) April 11, 2021
The company says it has strengthened its existing systems by immediately restricting access to the impacted database, adding multiple security enhancements at all third party data-warehouses, setting up real-time 24x7 monitoring, and adding additional ring-fencing to the network. “As a matter of abundant caution, we have also initiated a secure password reset via OTP,” the company said.
The company said it is also scaling up its bug bounty program “to encourage ethical hackers” to “stress-test its systems and protocols” and “help it identify any vulnerabilities” from time to time. The company said it had already reported the incident to the authorities and advised customers to follow secure practices like using strong passwords, never sharing OTPs, and watch out for unauthorised OTPs, while checking the legitimacy of links and senders.