Just a day back, many of the customers of the Flipkart-owned travel-booking platform Cleartrip received an email. The letter tersely said: "This is to inform you that there has been a security anomaly that entailed illegal and unauthorised access to a part of Cleartrip's internal systems."
"We are completely mindful that this would be of concern to you. We would like to assure you that aside from some details which are a part of your profile, no sensitive information pertaining to your Cleartrip account has been compromised as a result of this anomaly of our systems. You can choose to reset your password as a precautionary measure."
The letter went on to say that the company has intimated the police and cyber authorities.
Data breaches, in these days of vulturous hackers, are unfortunately not uncommon. And the hospitality sector, for obvious reasons, is the most targeted. Recently we saw the hotel chain Marriott being at the receiving end of a sinister hacking incident. A recent report said almost half of businesses have suffered a data breach in recent years globally. And India is 6th most data-breached country, and Indians lose 3.8 data points per data breach, while the global average is only 2.3.
Most Indian companies hide things from customers
All these things clearly point to the fact that what happened at Cleartrip, though worrisome, is not out of ordinary. But what has made matters worse is the way Cleartrip has gone about in keeping the affected customers in loop. In the letter, Cleartrip has not made any mention of when the said breach had occurred, the number of customers whose data was compromised, and what exactly were the breached data. The letter from the company totally reticent on all these aspects. It has merely asked its customers to get a new password.
This approach is least professional. For, globally companies come out and explain the whens and what of the data breach. For example, in the Marriott hacking, the company divulged the info that unknown threat actors stole 20GB worth of data from its servers. The hackers also tried to extort Marriott, but the company refused to pay a ransom fee for the safe return of the data.
in the case of Cleartrip, the company's marked reluctance to convey the info that it is duty-bound to share is reflective of the mindset that is prevalent among many Indian companies. They generally prefer to push things under the carpet rather than explain things honestly and sincerely.
For the record, this is the first data breach that has come to light ever since the directions of the Indian Computer Emergency Response Team (CERT-In) came to force in late June. Its directions mandate that companies have to report cybersecurity incidents to CERT-In within six hours of discovering the issue. (But no info is available when the data breach occurred.)
This is not the first time that Cleartrip suffered a breach of its systems. In 2017, a hacking group named Turtle Squad defaced its website after gaining unauthorised access.
- Amazon Prime Day 2022 India smartphone launches: The phones to watch out for
