Navigating the Indolj “Security Breach”: Separating fact from fiction

Why the supposed data breach is not as serious as one might think

In today’s digital era, the very idea of a security breach can cause severe consternation. So one can imagine the concern when on September 20, there were news reports of a data breach at Indolj, a Pakistani restaurant technology provider. Specifically, local media outlets reported that a sample database of customers who use Indolj had been compromised – and more worryingly, that this database contained the customers’ personal and payment information of customers. What actually happened? Profit finds out.

The incident at Indolj

Indolj is a commission-free online ordering system and food ordering app that helps restaurants cater to their customers’ food orders. It also provides all-in-one technology solutions for restaurants, including websites with online ordering, POS, digital menu boards and digital marketing.

On September 20, Profit received a sample database that was allegedly selling data of approximately 2.2 million Indolj customers. This same database was received by other media outlets, such as GEO News, which reported on the topic on September 20, and ProPakistani, which reported on it two days later. The database included the names of customers, their email addresses, their phone numbers, along with other information. 

Profit carried out an analysis to verify the authenticity of the information leaked. This was done by contacting a pool of around 30 customers whose details were mentioned. We were able to confirm the names and numbers of these customers; however, approximately only 15 email addresses matched the ones in the database. 

While it had been initially claimed that customers’ credit card information had also been breached, there was no proof of this in the database. Additionally, the physical addresses of customers were also not present in the sample data, which means that there is no confirmation of that particular data being leaked. 

Profit spoke to both Indolj’s CEO Saad Jandga, and Wah Brands CEO Athar Chawla, who has closely worked with Indolj and used their services for his brands. Both individuals confirmed that details like the names and phone numbers of any customer registered are common and usually available. Both also said that anyone with a mobile number receives numerous promotional and marketing calls on a daily basis, so this is not something that people should panic about. 

Breaching into the systems and leaking sensitive customer data is unusual, however, “such unethical practices are often carried out by competitors, when a platform is growing,” Chawla said.

He added the report’s use of fabricated data such as some email addresses and phone numbers doesn’t provide any evidence of Indolj’s sensitive data being compromised.

Jangda reiterated the platform doesn’t require customers to provide sensitive data. He also said the team received the database around the same time as everyone else did and took immediate action. They carried out an analysis to verify the data themselves, as well as with their clients, which showed that only a small fraction (approximately 5%) matched the data at the secure back-end database.

“This inconsistency raises serious doubts about the authenticity of the reported data breach,” Saad told this newspaper.

What about customers’ credit card information?

Indolj is a service provider that does not require any customer to save their credit card information. However, the restaurants that use the platform’s services and offer an online payment option to their customers use a payment gateway. These are offered either by Foree, Bank Alfalah or HBL. Jangda said Indolj does not store any data as payments are made through the gateway portal alone. This was confirmed by security expert Rafay Baloch, who said Indolj is not Payment Card Industry Data Security Standard (PCI DSS) compliant. Only PCI compliant companies can store data. 

“Indolj users enter their credit card information every time unless the portal asks them to save the information. Even in that case, the information is not with Indolj,” Saad stated.

“The report includes a credit card column, but Indolj never stores payment information, making any claim of credit card data leakage impossible,” Chawla said, further stating that an OTP is requested from users every time an online payment is made on their restaurants.

In this case, credit card numbers were not included in the database. Even if they had been included, an individual would have to also know a customer’s pin, along with the credit card info to make a transaction. The chance of fraud increases when both the credit card number and pin are available.

What does it mean to be PCI Compliant? 

It means that your systems are secure, reducing the chances of data breaches. Merchants and payment service providers (PSPs) handling card data must maintain PCI compliance. It encompasses technical and operational standards that businesses must adhere to to protect cardholders’ credit card data during processing. Being PCI compliant, a merchant needs to undergo rigorous security measures and audits to ensure data protection.

How serious is this security breach? 

Our analysis shows that breach may not be so serious as no sensitive data has been leaked. This is because merchants who are not PCI compliant do not store sensitive information. 

What is being done? 

Indolj has said that it has robust security measures and is continuously updating its security protocols to avoid such threats in the future. Additionally, the service provider is pursuing legal action through FIA Cyber Crime to hold those responsible for this incident accountable. They have also engaged certified security consultants to investigate this further.

Saneela Jawad
Saneela Jawad
The author is a staff member. She tweets at @SaneelaJawad Email: [email protected]


  1. Well companies should have at least a well maintained security system to prevent data and security breach from hackers to give their customers a safe Experience.

  2. It’s essential for companies to maintain robust security systems . Its valuable to safeguard against data breaches and protect their customers. Most of the merchants didn’t save serious data of the customers . MEPCO Online Bill suggest one more thing is that PSPs and Merchants should make policy for securing the customers data , that will enhance customer trust on it.

  3. Breaking down the Indolj security issue, it seems the situation isn’t as alarming. Profit’s investigation shows no critical data leaked. Indolj’s actions, like enhancing security and legal steps, show they’re on top of things. Storing credit card info is tricky, and Indolj’s move to involve security experts adds assurance. Let’s wait for the full picture after thorough checks.


Please enter your comment!
Please enter your name here

Must Read