Zomato declares all-safe after massive data theft

19th May 2017
Zomato declares  all-safe after massive data theft

Hacker  cooperates,   withdraws  demand, says online food player, but some troubling questions remain
Banagalore, May 19 2017: A day after Web-based food and restaurant  aggregator Zomato,  reported a security breach and hacking of its data  including account information of 17 million customers, it  sounded an all-clear and reassured users of no  damage  done.
The breach was first detected by  HackRead, a website devoted to security breaches  and confirmed by Zomato in a blog. A few hours ago Zomato said it had got in touch with the hacker  who used the  name clay. He had cooperated with Zomato and taken down the link in the Net's underworld market place where the hacked data was on sale  for about a thousand dollars. 
The paltry amount, considering Zomato admitted some 6.6 million user names, IDs and passwords had been  stolen ( and not 17 million, since the majority used their Facebook or Google IDs)  suggests the hacker was non-serious in making money from the cyber heist.  Zomato says he sought  a bug bounty programme ( where ethical hackers are rewarded for   pointing out flaws in corporate web operations) and has promised institute  just such a programme.  Its current bug report programme   on HackerOne, offers no monetary reward, just a pat on the back, so clearly the un-named hacker is looking for something more concrete  -- and  pocket-jingling.
In a Twitter post Zomato founder Deepinder Goyal  assured users " Your credit card  info and your addresses are fully safe and secure".  However in abundant caution it recommends that customers change  passwords any way especially if they are the same across multiple services.
While  Zomato seems to have managed the immediate crisis, some questions remain unanswered. Ethical hackers usually work in cooperation with the target enterprise. For example the Election Commission has said it would shortly organise a legal session for  hackers to try and breach the Electronic Voting Machine. In the Zomato case, the company seems to have been caught by surprise by the hacker. What sort of deal did they do to have him cooperate.   "Bug Bounty Programme" seems to read like a euphemism for some sort of pay-off .
Consumers have some learnings too: If you regularly buy services on the Web, it is better to use a separate credit or debit card or an e-cash service for the purpose, and set the maximum  balance or credit limit quite low to limit any potential damage. Because, in the very tentative state of India's cyber laws,  recovering one's  losses  due to the  possible negligence of  an e-commerce entity, may be a long and tortuous process.
 For enterprises functioning in today's  hostile  e-security environment, such breaches can  happen, no matter how high the firewalls.  It may be in everyone's interest if online entities  test the strength of their  cyber defences in controlled hacks, rather than  let someone hack first, negotiate later.

*Zomato is a restaurant search and discovery app, providing in-depth information for over 1 million restaurants across 23 countries. Zomato is used by consumers globally to discover, rate, and review restaurants, as well as create their own personal networks of fellow food enthusiasts.