Durex India suffers embarrassing data breach, online customer data breach
Durex’s Indian arm has suffered a security breach that saw a large amount of sensitive customer data stolen.
A security researcher named Sourajeet Majumder contacted TechCrunch recently with the news of the breach at the company’s Indian branch. He noted that Durex India’s website lacked proper authentication on the order confirmation page, making it possible for unauthenticated users to access private customer data.
The data includes customer names, telephone numbers, email addresses, shipping addresses, products ordered and the amount paid.
Confirmed claims
We don’t know exactly how many people were affected by this bug, but it appears to be in the hundreds.
“For a brand that deals with intimate products, it is crucial to ensure privacy,” said Majumder.
TechCrunch says it has been able to confirm the researcher’s claims, saying that the data is still available and the exploit can still be replicated. As such, details of the flaw are being withheld until Durex India fixes the issue.
After his discovery, Majumder contacted India’s Computer Emergency Response Team (CERT-In), which “confirmed his email”.
“Affected customers may also face social harassment or moral policing as a result of this breach,” he said. They may also be targeted with convincing phishing emails, impersonating Durex and tricking people into downloading malware, giving away payment information, or more.
So far, neither Durex nor its parent company, Reckitt, have spoken about securing the information, despite the publication’s request. At this point, we don’t know if malicious actors have discovered the data or have managed to exfiltrate it, but given that the news is out now and the bug can be replicated, it’s safe to assume it’s only a matter of time.
