Aditya Birla Fashion and Retail Limited (ABFRL), one of India’s biggest fashion retail companies, has recently been part of a massive data breach. Data with over 5.4 million email addresses have been allegedly scraped from the Aditya Birla Group-owned platform and posted online. Personal client information such as names, phone numbers, addresses, dates of birth, order histories, credit card details, and passwords are allegedly saved as Message-Digest algorithm 5 (MD5) hashes in the purported database. The data leak is claimed to include employee information such as salary, religion, and marital status. ABFRL spokesperson confirmed the incident, saying the company has reset passwords of all customers.
“It’s an enormous amount of data and it includes source code as well,” Troy Hunt, the creator of the Have I Been Pwned website, told Gadgets 360. “There’s a lot of personal information on customers, but also on staff. I’ve got no idea why they’d store sensitive PII like religion, along with very personal things like marital status. It’s not clear why this would be required in order for someone to fulfil their job.”
The hacked database is reported to contain financial and transaction information, as well as 21GB of ABFRL bills. ShinyHunters told RestorePrivacy that they had obtained credit card information from ABFR customers, notably Pantaloons. The ABFRL personnel is alleged to be aware that ShinyHunters has such information.
