Aditya Birla Fashion and Retail Limited (ABFRL), one of India’s largest fashion retail companies, has been the victim of a massive data breach. Data from more than 5.4 million email addresses was reportedly extracted from the Aditya Birla Group-owned platform and published online. The alleged database includes personal customer information such as names, phone numbers, addresses, dates of birth, order histories, credit card details and passwords stored as Message-Digest algorithm 5 hashes (MD5). The data breach would include details of the employees, including salary details, religion and their marital status.
The alleged Aditya Birla Fashion and Retail database has been made public by a group of hackers known as ShinyHunters. News of an ABFRL account breach was passed on to some affected customers by the Have I Been Pwned data breach tracking website. No less than 5,470,063 Aditya Birla Fashion and Retail Limited accounts are noted being raped and ransomed in December of last year. The hacker group’s ransom demand was reportedly rejected and the data was later publicly posted on a popular hacking forum.
To check if you participated in the breach, visit the Have I Been Pwned website and enter your email address or phone number. Gadgets 360 has contacted ABFRL for comment on the breach. This report will be updated when we respond to you.
“It’s a huge amount of data and it also includes the source code,” Troy Hunt, the creator of the Have I Been Pwned website, told Gadgets 360. “There’s a lot of personal customer information, but also on the staff. I have no idea why they store sensitive PII like religion, as well as very personal information like marital status. It’s unclear why this would be necessary for someone to complete their job.
Hunt also noted that there was a complete lack of disclosure from the ABFRL about this.
“Data is circulating very widely on hacking forums, but as far as I know they haven’t informed customers yet. It’s inexcusable,” he said.
ShinyHunters had access to the ABFRL database for several weeks, according to a report by RestorePrivacy. According to the report, the information allegedly hacked includes ABFRL employee data details like full name, email, date of birth, physical address, gender, age, marital status, salary, religion, etc. He is also said to have ABFRL customer data and hundreds of thousands of invoices and source code for the company’s website and server reports.
Gadgets 360 was able to independently verify the existence of the forum post created by ShinyHunters announcing the data leak.
“We tried to get in touch with the ABFRL. They sent a negotiator but he was just stalling (the offer was more than reasonable for a ’45 billion dollar conglomerate’. So we decided to just disclose for you guys, including their famous divisions like Pantaloons.com or Jaypore.com,” the hacker group noted in the January 11 post. However, the exact amount requested for payment is unknown.
According to RestorePrivacy’s report, the data includes server logs and vulnerability reports for Indian clothing brands ABFRL, including American Eagle, Pantaloons, Forever21, The Collective, Van Heusen, Peter England, Planet Fashion and Shantanu & Nikhil.
The leaked database allegedly contains financial and transaction details along with 21GB of ABFRL invoices. ShinyHunters has informed RestorePrivacy that they have acquired ABFR customers’ credit card data, specifically from Pantaloons. ABFRL staff are aware that ShinyHunters is in possession of this data.
Check out the latest from the Consumer Electronics Show on Gadgets 360, in our CES 2022 hub.