In today’s digital era, the very idea of a security breach can cause severe consternation. So one can imagine the concern when on September 20, there were news reports of a data breach at Indolj, a Pakistani restaurant technology provider. Specifically, local media outlets reported that a sample database of customers who use Indolj had been compromised – and more worryingly, that this database contained the customers’ personal and payment information of customers. What actually happened? Profit finds out.
The incident at Indolj
Indolj is a commission-free online ordering system and food ordering app that helps restaurants cater to their customers’ food orders. It also provides all-in-one technology solutions for restaurants, including websites with online ordering, POS, digital menu boards and digital marketing.
On September 20, Profit received a sample database that was allegedly selling data of approximately 2.2 million Indolj customers. This same database was received by other media outlets, such as GEO News, which reported on the topic on September 20, and ProPakistani, which reported on it two days later. The database included the names of customers, their email addresses, their phone numbers, along with other information.
Profit carried out an analysis to verify the authenticity of the information leaked. This was done by contacting a pool of around 30 customers whose details were mentioned. We were able to confirm the names and numbers of these customers; however, approximately only 15 email addresses matched the ones in the database.
While it had been initially claimed that customers’ credit card information had also been breached, there was no proof of this in the database. Additionally, the physical addresses of customers were also not present in the sample data, which means that there is no confirmation of that particular data being leaked.
Profit spoke to both Indolj’s CEO Saad Jandga, and Wah Brands CEO Athar Chawla, who has closely worked with Indolj and used their services for his brands. Both individuals confirmed that details like the names and phone numbers of any customer registered are common and usually available. Both also said that anyone with a mobile number receives numerous promotional and marketing calls on a daily basis, so this is not something that people should panic about.
Breaching into the systems and leaking sensitive customer data is unusual, however, “such unethical practices are often carried out by competitors, when a platform is growing,” Chawla said.
He added the report’s use of fabricated data such as some email addresses and phone numbers doesn’t provide any evidence of Indolj’s sensitive data being compromised.
Jangda reiterated the platform doesn’t require customers to provide sensitive data. He also said the team received the database around the same time as everyone else did and took immediate action. They carried out an analysis to verify the data themselves, as well as with their clients, which showed that only a small fraction (approximately 5%) matched the data at the secure back-end database.
“This inconsistency raises serious doubts about the authenticity of the reported data breach,” Saad told this newspaper.
What about customers’ credit card information?
Indolj is a service provider that does not require any customer to save their credit card information. However, the restaurants that use the platform’s services and offer an online payment option to their customers use a payment gateway. These are offered either by Foree, Bank Alfalah or HBL. Jangda said Indolj does not store any data as payments are made through the gateway portal alone. This was confirmed by security expert Rafay Baloch, who said Indolj is not Payment Card Industry Data Security Standard (PCI DSS) compliant. Only PCI compliant companies can store data.
“Indolj users enter their credit card information every time unless the portal asks them to save the information. Even in that case, the information is not with Indolj,” Saad stated.
“The report includes a credit card column, but Indolj never stores payment information, making any claim of credit card data leakage impossible,” Chawla said, further stating that an OTP is requested from users every time an online payment is made on their restaurants.
In this case, credit card numbers were not included in the database. Even if they had been included, an individual would have to also know a customer’s pin, along with the credit card info to make a transaction. The chance of fraud increases when both the credit card number and pin are available.
What does it mean to be PCI Compliant?
It means that your systems are secure, reducing the chances of data breaches. Merchants and payment service providers (PSPs) handling card data must maintain PCI compliance. It encompasses technical and operational standards that businesses must adhere to to protect cardholders’ credit card data during processing. Being PCI compliant, a merchant needs to undergo rigorous security measures and audits to ensure data protection.
How serious is this security breach?
Our analysis shows that breach may not be so serious as no sensitive data has been leaked. This is because merchants who are not PCI compliant do not store sensitive information.
What is being done?
Indolj has said that it has robust security measures and is continuously updating its security protocols to avoid such threats in the future. Additionally, the service provider is pursuing legal action through FIA Cyber Crime to hold those responsible for this incident accountable. They have also engaged certified security consultants to investigate this further.