In today’s digital era, the very idea of a security breach can cause severe consternation. So one can imagine the concern when on September 20, there were news reports of a data breach at Indolj, a Pakistani restaurant technology provider. Specifically, local media outlets reported that a sample database of customers who use Indolj had been compromised – and more worryingly, that this database contained the customers’ personal and payment information of customers. What actually happened? Profit finds out.
The incident at Indolj
Indolj is a commission-free online ordering system and food ordering app that helps restaurants cater to their customers’ food orders. It also provides all-in-one technology solutions for restaurants, including websites with online ordering, POS, digital menu boards and digital marketing.
On September 20, Profit received a sample database that was allegedly selling data of approximately 2.2 million Indolj customers. This same database was received by other media outlets, such as GEO News, which reported on the topic on September 20, and ProPakistani, which reported on it two days later. The database included the names of customers, their email addresses, their phone numbers, along with other information.
Profit carried out an analysis to verify the authenticity of the information leaked. This was done by contacting a pool of around 30 customers whose details were mentioned. We were able to confirm the names and numbers of these customers; however, approximately only 15 email addresses matched the ones in the database.
While it had been initially claimed that customers’ credit card information had also been breached, there was no proof of this in the database. Additionally, the physical addresses of customers were also not present in the sample data, which means that there is no confirmation of that particular data being leaked.
Profit spoke to both Indolj’s CEO Saad Jandga, and Wah Brands CEO Athar Chawla, who has closely worked with Indolj and used their services for his brands. Both individuals confirmed that details like the names and phone numbers of any customer registered are common and usually available. Both also said that anyone with a mobile number receives numerous promotional and marketing calls on a daily basis, so this is not something that people should panic about.
Breaching into the systems and leaking sensitive customer data is unusual, however, “such unethical practices are often carried out by competitors, when a platform is growing,” Chawla said.
He added the report’s use of fabricated data such as some email addresses and phone numbers doesn’t provide any evidence of Indolj’s sensitive data being compromised.
Jangda reiterated the platform doesn’t require customers to provide sensitive data. He also said the team received the database around the same time as everyone else did and took immediate action. They carried out an analysis to verify the data themselves, as well as with their clients, which showed that only a small fraction (approximately 5%) matched the data at the secure back-end database.
“This inconsistency raises serious doubts about the authenticity of the reported data breach,” Saad told this newspaper.
What about customers’ credit card information?
Indolj is a service provider that does not require any customer to save their credit card information. However, the restaurants that use the platform’s services and offer an online payment option to their customers use a payment gateway. These are offered either by Foree, Bank Alfalah or HBL. Jangda said Indolj does not store any data as payments are made through the gateway portal alone. This was confirmed by security expert Rafay Baloch, who said Indolj is not Payment Card Industry Data Security Standard (PCI DSS) compliant. Only PCI compliant companies can store data.
“Indolj users enter their credit card information every time unless the portal asks them to save the information. Even in that case, the information is not with Indolj,” Saad stated.
“The report includes a credit card column, but Indolj never stores payment information, making any claim of credit card data leakage impossible,” Chawla said, further stating that an OTP is requested from users every time an online payment is made on their restaurants.
In this case, credit card numbers were not included in the database. Even if they had been included, an individual would have to also know a customer’s pin, along with the credit card info to make a transaction. The chance of fraud increases when both the credit card number and pin are available.
What does it mean to be PCI Compliant?
It means that your systems are secure, reducing the chances of data breaches. Merchants and payment service providers (PSPs) handling card data must maintain PCI compliance. It encompasses technical and operational standards that businesses must adhere to to protect cardholders’ credit card data during processing. Being PCI compliant, a merchant needs to undergo rigorous security measures and audits to ensure data protection.
How serious is this security breach?
Our analysis shows that breach may not be so serious as no sensitive data has been leaked. This is because merchants who are not PCI compliant do not store sensitive information.
What is being done?
Indolj has said that it has robust security measures and is continuously updating its security protocols to avoid such threats in the future. Additionally, the service provider is pursuing legal action through FIA Cyber Crime to hold those responsible for this incident accountable. They have also engaged certified security consultants to investigate this further.
Well companies should have at least a well maintained security system to prevent data and security breach from hackers to give their customers a safe Experience.
It’s essential for companies to maintain robust security systems . Its valuable to safeguard against data breaches and protect their customers. Most of the merchants didn’t save serious data of the customers . MEPCO Online Bill suggest one more thing is that PSPs and Merchants should make policy for securing the customers data , that will enhance customer trust on it.
Breaking down the Indolj security issue, it seems the situation isn’t as alarming. Profit’s investigation shows no critical data leaked. Indolj’s actions, like enhancing security and legal steps, show they’re on top of things. Storing credit card info is tricky, and Indolj’s move to involve security experts adds assurance. Let’s wait for the full picture after thorough checks.
It is highly recommended for companies to have a robust security system in place in order to safeguard against potential data and security breaches caused by hackers. This not only ensures the protection and privacy of customers’ information but also enhances their overall experience by providing a secure environment.
This news about Indolj’s alleged data breach raises concerns about customer information security. It’s reassuring that the leaked data seems to lack sensitive details like credit card information. However, the potential breach highlights the need for robust security measures, especially in handling customer data. Indolj’s actions, pursuing legal recourse and enhancing security, reflect a proactive stance to address the issue and prevent future threats.
GET RICH WITH BLANK ATM CARD, Whats app: + 1 803 392 1735
I want to testify about Dark Web blank atm cards which can withdraw money from any atm machines around the world. I was very poor before and have no job. I saw so many testimony about how Dark Web Online Hackers send them the atm blank card and use it to collect money in any atm machine and become rich I email them also and they sent me the blank atm card. I have use it to get 500,000 dollars. withdraw the maximum of 5,000 USD daily. Dark Web is giving out the card just to help the poor. Hack and take money directly from any atm machine vault with the use of atm programmed card which runs in automatic mode.
You can also contact them for the service below
* Western Union/MoneyGram Transfer
* Bank Transfer
* PayPal / Skrill Transfer
* Crypto Mining
* CashApp Transfer
* Bitcoin Loans
* Recover Stolen/Missing Crypto/Funds/Assets
Email: darkwebonlinehackers @ gmail . com
Telegram or Whats App: + 1 803 392 1735
It’s reassuring to see that Indolj is taking proactive steps to address the alleged breach, including legal action and engaging security consultants. This demonstrates their commitment to safeguarding customer data.
The fact that the leaked database lacked customers’ physical addresses and credit card information provides some relief, but it’s crucial for companies to continuously fortify their security measures to prevent potential breaches in the future
The absence of sensitive data like credit card information in the leaked database underscores the importance of PCI compliance for businesses handling payment transactions. It’s a reminder of the critical role standards like PCI DSS play in protecting consumer data.
It’s commendable that Profit conducted its own analysis to verify the authenticity of the leaked data, providing a more nuanced perspective on the severity of the breach. This kind of investigative journalism is essential for separating fact from fiction in cybersecurity incidents.
The statement from Indolj’s CEO regarding the prevalence of promotional calls based on leaked customer information highlights a broader issue of privacy invasion. Even if the breach isn’t as severe as initially feared, it still raises questions about data misuse and ethical business practices