It has been revealed that the personal data of more than 5 million Yatra.com customers was exposed in a data breach of the Indian online travel bookings platform.
The breach occurred back in 2013, however it was only last week that the breach was revealed on Twitter. Have I Been Pwned (HIBP), a website that checks if your account has been compromised in a data breach, tweeted:
New breach: Indian bookings website Yatra had 5M records breached in 2013 including email & physical addresses, phone numbers & plain text passwords & PINs. The breach was previously reported by @Vigilante_pw, 60% of emails were already in @haveibeenpwned https://t.co/LGaAnj1hUA
— Have I Been Pwned (@haveibeenpwned) July 4, 2018
The 5,033,997 accounts affected contained:
- Email addresses;
- Physical addresses;
- Dates of birth;
- Phone numbers; and
- PINs and passwords stored in plaintext.
Yatra.com is yet to publicly comment on the breach.
What should you do if you are a Yatra.com customer?
To check if you’ve been affected, enter your account email address on HIBP’s website.
If you use your Yatra.com password for any other account or website, you should change them too.
What does this data breach mean for Yatra.com?
The breach has been revealed at a time when there is a growing concern about the security of customers’ data online.
When an organisation suffers a data breach the consequences can be disastrous, and can include:
- Financial damage: Costs include paying back any money taken because of the breach, compensating affected customers and incurring penalties from regulatory bodies.
- Reputational damage: In this particular case, Yatra.com customers may lose trust and confidence in the brand and will certainly question how the breach went unnoticed for so long. Breaches also put off many potential customers from engaging in business.
Improved data protection is essential
There is a growing need for Indian organisations to better protect their data.
In a recent blog post, IT Governance reported that there were 29 data breach incidents in India in 2017 – a 20% increase on the previous year. Worryingly, the first half of 2018 has seen several major data breaches hit Indian organisations.
The EU GDPR (General Data Protection Regulation) came into effect on 25 May 2018, and applies to any organisation collecting, storing or processing EU residents’ personal data, irrespective of the organisation’s location or where the data is processed.
Asia-Pacific companies with any connection to Europe – whether through subsidiaries, customers or suppliers – need to take steps to determine whether the GDPR is applicable to them, and to consider revising their information handling processes to ensure compliance.
ISO 27001, the international standard for information security management, provides an excellent starting point for organisations looking to achieve the technical and operational requirements necessary to prevent a data breach under the GDPR.
Download our informative guide to GDPR compliance, and its relation to ISO 27001, to discover:
- What a comprehensive data security regime looks like;
- What an ISMS (information security management system) is and how to go about implementing one;
- How achieving ISO 27001 certification can enable you to meet the GDPR’s technical and organisational requirements; and
- Useful guidance to effectively meet the GDPR’s data security requirements.