India’s Largest Tech Retailer Suffered Data Breach, With Employee and Customer Data

Recently I discovered a non-password protected data breach Poorvika throughout the records and file names. The records contained employee data such as religion, sex, date of birth, marital status, family dependents, and other PII. After sending a responsible disclosure notice to Poorvika the database was closed to public access that same day. However, They never replied regarding my findings. According to its website, Poorvika is the largest tech retailer in India, which specializes in mobile phones and mobile-related accessories. Poorvika was founded in 2004 and has since grown to become one of the largest mobile retailers in the country, boasting over 500 stores across 43 cities. Poorvika also has an online portal that sells smartphones, laptops, computers, smart devices, and tech accessories.

What the database contained:

• Total number of records: 8,091,993 with a total size of 725.8 GB.
• The database contained a folder named “All Databases”, which included SQL backups of Poorvika databases, as well as backups of its app and website’s source code.
• One folder contained 668,243 accounts with names and personal data of what appeared to be customers or app users.
• In a limited search of a single human resources backup folder, there were also business and personal employee email addresses; when running a search query for Gmail accounts, the single folder contained 45,542 Gmail addresses.
• Internal records included 53,885 PDF files of tax invoices, payment receipts that exposed partial credit card numbers, and other data pertaining to both the customers and the company itself.
• Human resources files contained employee data, including salary and bank account information.

My full report can be seen here.