India shipping logistics giant Shipyaari exposed customer data

The personal data of thousands of customers was exposed by a months-long spill of its internal shipment information.

The Shipyaari customers' names, addresses, phone numbers, order invoice amounts and delivery status were exposed. Barot said that the client tracking page was not password protected and could be seen by anyone.

Barot said that the information could be used to perform targeted social engineering attacks and financial frauds.

The company promised a fix after the researcher contacted them about the exposure. Changes did not fix the exposure. In late July, it was fixed after a security incident was reported.

Barot appreciated Shipyaari for fixing the issue.

The exposure was fixed by removing customers'PII from the tracking page and limiting access with a one-time PIN. Bad actors were limited from launching automated attacks.

The founder of Shipyaari said that data privacy is of paramount importance to the company.

Customer data won't be displayed on the page while it's being loaded.

According to Shipyaari, they can handle more than 5000 shipments a day. There are over 6,000 active sellers on the company's website.

India needs strong data privacy laws to limit the amount of data exposure and leaks.

The Personal Data Protection Bill that was promoted to bring stringent rules to protect its citizens' privacy was withdrawn earlier this month. Tech giants were concerned about how they could manage user information.