Shukla Zomato Data Breach
Shukla Zomato Data Breach
Shukla Zomato Data Breach
On May 17th 2017, Zomato, India’s leading restaurant search and discovery app service and one
of Yelp’s competitor was hacked, comprising the user credentials for over 17 million customers.
The company that was founded in India by Deepinder Goyal and Pankaj Chaddah currently
operates in 23 countries worldwide. They are dedicated to providing seamless interactions for
users to find and order from restaurants in the vicinity by providing multiple search filters such
as Cuisine, Delivery Time, Cost for Two and other Quick Filters in the quest to become the
leading food and restaurant search application worldwide (Zomato). Commented [AS1]: You need a citation here to establish
source of Zomato information.
But in the world of security, it is difficult for firms to be breach free and unfortunately
Zomato couldn't keep up either. The hack of 2017 brought Zomato on the public forefront when
the company disclosed that their system had been breached. While it was initially speculated to
be a breach caused by an employee, an update via Zomato Blogs confirmed that the hack was
carried out by hacker nClay, an ethical security researcher, to plug the gaps in Zomato’s security
infrastructure. While it is speculated that the hacker had informed Zomato of vulnerabilities in
their infrastructure before going ahead with the breach, nClay was a key player in helping
It all began on November 2015 when 000webhost, a free web hosting resource was
hacked, leaking over 13 million user-id and passwords. From the list of compromised clients was
one of Zomato’s developers that had used this service to host his personal website. While this
may not seem like a relevant linkage for the average person, it acted as the base for nClay’s hack.
What made it easier for the hacker was coming across a similar password combination for his
1
official GitHub account. This case serves as a prime example of a breach that took place because
of a previously compromised system – a commonly seen issue within the security community.
This event led the hacker to gain access to one of code repositories, which turned out to be easier
to breach than today since Zomato was not using two-factor authentication at the time. In
addition, while their systems were only accessible to a specific set of IP addresses, the hacker
was able to view the code and exploit a vulnerability to access the database via a remote code
execution. “The piece of code which was vulnerable was a part of a deprecated system, and
hadn’t been modified for a few years now” says CEO Goyal (Zomato). Luckily this leaked code
was becoming more and more outdated by the day and in addition, Zomato has also taken steps
to ensure that this code does not affect the company’s infrastructure ever again.
This event exposed the company to external fraud and information security risks. While
cases like these, for the most part, pose huge reputational risks, Zomato did a great job at saving
its reputation by being transparent and empathetic with their users. Zomato displayed an
“Effective Board Oversight” (Proviti) that minimized the threat to reputation to an appropriate
and manageable level that would instill trust back to their customers. They did this by releasing
three consecutive security updates via Zomato Blogs. The first update set the tone for the
aftermath of the event. The executives were accepting and apologetic yet strategic in telling the
users that no other sensitive data such as credit card information was stolen since they use a
secure PCI DSS (Data Security Standard) compliant vault. Although their card information was
not breached this time companies like Chipotle have suffered data breaches with the
same/similar PCI model in place. This illustrates the need for iterative and ongoing security
practices to ensure maximum protection of data security. The following update gave a run-down
reflection of how the hack went down as disclosed by the ethical hacker, with whom they shared
2
an open line of communication. Their last update in July gave their customers insight on the
details of the events as well as providing lessons learned for the greater security community. And
as a result of negotiating with the hacker, Zomato had also decided to roll out a monetary bug
bounty program on HackerOne, as a way to ensure better security practices and incentivizing the
great hacker community to join their mission. In addition, they will also host product meet-ups to
discuss different issues related in regards to security within the NCR-Delhi, India region.
As with any breach, external fraud usually makes up for major risk factors. In this case
and similar to many data breach cases, informational security was at risk. Though hacker nClay
was considered an ethical hacker (Goyal, Security Update – What really happened? And what
next?), he was an outsider that breached the system and put up the data for sale on the Dark Web Commented [DT2]: Please provide supporting references
for a price of 0.55 BTC or $1000. Though it was soon taken down, it still poses a threat to the 17
million people whose information was leaked. What makes matters worse is how unaware most
of these users are that their data can be misused in ways completely unknown to them. Which
brings us to understanding how India as a country takes matters of data security and privacy in
their hands and how India based startups like Zomato, that carry a global presence, adhere to
such regulations.
With Prime Minister Narendra Modi’s Digital India initiative (Government of India),
there has been a recent focus to innovate policies and best practices to expand the access of
digital services, knowledge and information from around the world to bring India at the
technology forefront. While India has all the right resources and educational youth to be
around data and security. While tech giants such as Microsoft, Google, Amazon and Facebook
have poured tremendous amounts of money into the Digital India initiative, it has also created a
3
public debate of how privacy currently functions in India. "There is an unprecedented need for
regulation regarding [how] such information can be stored, processed and used." (Iyengar)
Heated and politicized court cases against the government’s role in protection of citizens in the
digital world can cause implications for the country’s recent biometric identification program
called Aadhaar. A lot of companies including these tech giants have been able to leverage the
loose system and are speculated to have misused the system to access personal data that the
government and public now understands requires proper implemented regulations (Iyengar). This Commented [DT3]: Please provide supporting references
contextualizes why Zomato did not have government reporting or government regulations that
could have prevented this act since data privacy across companies based in India is new and
The Data Protection Law that is in the works to release this month, December 2017, will
provide a robust data protection framework to regulate and administer how international and
domestic companies use and store customer data, whilst still allowing for innovative practices.
But Zomato has an online presence and the next large part of their user base in terms of
The Australian government has a robust document of privacy principles that the country
adheres to with a special focus on different areas of security of personal information. This entire
set of regulations helps create structure to those companies that ask for personal information
from Australian citizens. “[An entity] should consider how it will protect personal information at
all stages of the information lifecycle. This should be considered before an entity collects
personal information (including whether it should collect the information at all), as well as when
the information is collected and held, and when it is destroyed or de-identified when no longer
needed.” (Australian Government). Though there were no lawsuits in the case of Zomato’s
4
breach but regulations like these set the standards and impose better security and privacy
practices both among individuals within a company and for the company as whole.
In today’s world, the breach of user credentials is seen to be very common. Even the
smallest mistakes can lead to huge catastrophes in the world of cyber security. As illustrated
throughout this paper, Zomato’s hacker was able to use the smallest vulnerability to his
advantage and expose over 17 million users, that will forever be immune susceptible to threat Commented [DT4]: Did you mean susceptible to threat as
supposed to immune to threat?
since their information is out there. But truth is, this breach wasn’t nearly as bad as some of those Commented [Office5R4]:
out there. Had Zomato not used a secure PCI Data Security Standard (DSS) compliant vault to
store its user’s payment information, then we can only imagine the uproar it would create. Not
only would it create huge a much larger security breach, but also would suffer huge reputational
risk factors that the company may not be able to come back from. Therefore, in order to mitigate
and prevent such data breaches in the future, it is important to reflect and prepare for the next
one. While that may sound strange, but in the world of security, breaches are inevitable but the
In Zomato’s case there were several areas where things fell apart. Firstly, back in 2015,
Zomato had not set up 2 factor authentications for its company employees. This not only gave
the hacker access to view an old code repository, but it opened the doors to a set of other
before the breach which cut the hacker off their GitHub access, but by that time he was already
working off an old code base to expose a vulnerability in the company infrastructure.
This then leads us to identifying problem number two, “[n]ot understanding what their
own code truly does and how other code in their system actually works” says Ryan Satterfield,
cyber security specialist (Lord). He adds, “It's one thing to write code, but even the largest
5
companies underestimate how their program can be used by an attacker.” Most non-security
teams don’t fix bugs that they don’t understand and often restart code bases instead of cleaning
up old files. This is exactly what Zomato did and therefore suffered a large data breach. A bug
may seem minor, but attackers know how to manipulate that bug to cause major impacts and
defensive programming so that they understand security vulnerabilities and know how to prevent
them. These vulnerabilities can be identified by using static tools which can be followed by code
reviews and iterative security testing to prevent vulnerabilities during different push phases -
The next breaking point in Zomato’s security was poor hashing practices. Zomato uses
weak MD5 hash salts that can be easily decoded using brute force (Goyal, Security Update –
What really happened? And what next?). In order to enable a more secure practice, it is Commented [DT6]: Please provide supporting references
recommended to use Hash Stretching by generating a strong random salt and feeding it into a
secure looping algorithm that will iterate the hash thousands of times. But generating an
algorithm from scratch would not be the best way to do this. Using both the PBKDF2 repeating
algorithm and the HMAC-SHA-256 hashing algorithm, will ensure that the hacker undergoes a
longer but timed offline attack that is directly proportionally to the number of times the loop is
iterated. In short, the combination of these algorithms is a key that you hash, plus the message
that you give it and then rehash a permuted version of this key plus the addition of the first hash.
“Store the iteration count, the salt and the final hash in your password database” (Ducklin).
Therefore, the only time that the password will be disclosed will be when it is correctly
authenticated or else till then it will remain in this unique hashed form. You can then increase
6
Lastly, to ensure that the company uses better access controls, it is recommended that
they add multiple layers of authorization for those areas in need of it. This can help separate the
systems even more so and allow for internal security in teams to understanding patterns and
prioritization when dealing with the next hack. “That is, knowing the processes used by the
Actors, the tools (Actions) to accomplish their goals and how many of these patterns begin with
the same or similar bag of tricks” (Bisson). These recommendations illustrate the need for
iterative and ongoing education to ensure better security practices so that such a breach in the
But security is a two-way street and while these recommendations will help Zomato
secure their users, it is also recommended that users take the time to understand the risk that such
a breach can cause. While most people have the same passwords across multiple accounts,
making them easier to chain and guess. Even an iteration of a password can be guessed easily in
today’s world. This is when such habits become risky in cases of breach and therefore it is
recommended to use cloud password managers like LastPass, that ensures data encryption and
password management. Essentially services such as this hash and store your individual account Commented [DT7]: Great point
passwords to the cloud, which are only accessed and hashed back during specific authentication
portals. For example, LastPass’s chrome extension prompts the user to store a password every
new login and then throws that password back when a user returns to the same website. The
“LastPass[word]” that you need to know is the LastPass password that open the doors to your
Throughout this read if one thing is evident then it’s that security breaches are inevitable.
We will forever be in a race to keep up with the world of hackers, some of which might be
ethical while some may have other agendas. But what we can control is the effect that such an
7
event can create by practicing better security measures and planning strategic mitigation
strategies ahead of time. There are numerous cases of breaches that have taken place mostly
because of poor planning which rolls into poor execution. Though governmental regulations play
a huge role in defining the nature of different industries and sectors, it mostly comes down to the
specific organization to take ownership of their security and reap the consequences of this
ongoing battle. We hope to see Zomato learn from their security and infrastructure blunders and
look forward to seeing the next phase of their security and privacy practices.
8
Works Cited
n.d.
Agarwal, Surabhi. "Data Protection Bill To Be Passed By December: Law Minister Ravi
Shankar Prasad." n.d. The Economic Times.
<https://economictimes.indiatimes.com/news/economy/policy/data-protection-bill-to-be-
in-place-by-december-law-minister-ravi-shankar-prasad/articleshow/60227629.cms>.
Australian Privacy Principles guidelines. "Australian Privacy Principles guidelines." n.d. OAIC.
<https://www.oaic.gov.au/images/documents/privacy/applying-privacy-law/app-
guidelines/APP-guidelines-combined-set-v1.pdf>.
BISSON, DAVID. "Takeaways from the 2016 Verizon Data Breach Investigations Report."
April 2016. The State of Security. <https://www.tripwire.com/state-of-security/security-
data-protection/cyber-security/takeaways-from-the-2016-verizon-data-breach-
investigations-report/>.
BSIMM. "BSIMM." n.d. The BSIMM has launched—don’t miss the latest findings.
<https://www.bsimm.com/>.
Bureau, ET. "Zomato achieves operational milestone." n.d. Economic Times.
<https://economictimes.indiatimes.com/small-biz/startups/zomato-achieves-operational-
milestone-in-six-countries-out-of-23/articleshow/50894493.cms>.
Dowal, Pankaj. "Data protection law coming soon to tackle misuse of private info by social
media and tech giants." 24 August 2017. Times of India.
<https://timesofindia.indiatimes.com/india/data-protection-law-coming-soon-to-tackle-
misuse-of-private-info-by-social-media-and-tech-giants/articleshow/60212900.cms>.
Ducklin, Paul. "Serious Security: How to store your users’ passwords safely." n.d. Naked
Security. <https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-
your-users-passwords-safely/>.
Goverment of India. "Digital India." n.d. Digital India. <https://www.mygov.in/group/digital-
india/>.
Goyal, Deepinder. "Security Update – What really happened? And what next?" 23 May 2017.
Zomato. <https://www.zomato.com/blog/security-update-what-really-happened-and-
what>.
—. "Security Update – What really happened? And what next?" n.d. Zomato. <
https://www.zomato.com/blog/security-update-what-really-happened-and-what>.
Iyengar, Rishi. "Privacy is now a right in India. Here's what that means for the tech industry."
August 2017. CNN. <http://money.cnn.com/2017/08/29/technology/india-right-to-
privacy-tech-industry-aadhaar/index.html>.
Kerner, Sean Michael. "Chipotle Breach Exposes Continued Point-of-Sale Cyber-Security
Risks." 30 May 2017. eWeek. December 2017. <Chipotle Breach Exposes Continued
Point-of-Sale Cyber-Security Risks>.
LastPass. "LastPass." n.d. LastPass. <https://www.lastpass.com/>.
Lord, Nate. "AN EXPERT GUIDE TO SECURING SENSITIVE DATA: 34 EXPERTS
REVEAL THE BIGGEST MISTAKES COMPANIES MAKE WITH DATA
SECURITY." n.d. Digital Guardian. <https://digitalguardian.com/blog/expert-guide-
securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data>.
Protiviti. "
https://www.protiviti.com/sites/default/files/united_states/insights/board_perspectives_-
_risk_oversight_-_issue_83_-_board_oversight_of_reputation_risk.pdf." 2012. Protiviti.
9
<https://www.protiviti.com/sites/default/files/united_states/insights/board_perspectives_-
_risk_oversight_-_issue_83_-_board_oversight_of_reputation_risk.pdf>.
PWC. "Proactively managing major data-breach risks." September 2017. PWC.
<https://www.pwc.com/us/en/cybersecurity/broader-perspectives/proactively-managing-
data-breach-risks.html>.
Rai, Saritha. "Asia FEB 8, 2016 @ 02:21 AM 17,135 The Little Black Book of Billionaire
Secrets Food Startup Zomato Is India's First E-Commerce Unicorn To Break Even,
Headed For Profitability." n.d. Forbes. <
https://www.forbes.com/sites/saritharai/2016/02/08/food-startup-zomato-is-indias-first-
unicorn-to-break-even-headed-for-profitability-by-mid-2016/#c2b067a4ba8f >.
Synopsys. "Synopsys." n.d. Synopsys. <https://www.synopsys.com/software-
integrity/training/software-security-courses.html>.
The Centre for Internet & Society. "Internet Privacy in India." 2016. The Centre for Internet &
Society. < https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-
privacy-in-india >.
Zomato. "Zomato." n.d. Zomato. <https://www.zomato.com/>.
Agarwal, Surabhi. "Data Protection Bill To Be Passed By December: Law Minister Ravi
Shankar Prasad." n.d. The Economic Times.
<https://economictimes.indiatimes.com/news/economy/policy/data-protection-bill-to-be-
in-place-by-december-law-minister-ravi-shankar-prasad/articleshow/60227629.cms>.
Australian Privacy Principles guidelines. "Australian Privacy Principles guidelines." n.d. OAIC.
<https://www.oaic.gov.au/images/documents/privacy/applying-privacy-law/app-
guidelines/APP-guidelines-combined-set-v1.pdf>.
BISSON, DAVID. "Takeaways from the 2016 Verizon Data Breach Investigations Report."
April 2016. The State of Security. <https://www.tripwire.com/state-of-security/security-
data-protection/cyber-security/takeaways-from-the-2016-verizon-data-breach-
investigations-report/>.
BSIMM. "BSIMM." n.d. The BSIMM has launched—don’t miss the latest findings.
<https://www.bsimm.com/>.
Bureau, ET. "Zomato achieves operational milestone." n.d. Economic Times.
<https://economictimes.indiatimes.com/small-biz/startups/zomato-achieves-operational-
milestone-in-six-countries-out-of-23/articleshow/50894493.cms>.
Dowal, Pankaj. "Data protection law coming soon to tackle misuse of private info by social
media and tech giants." 24 August 2017. Times of India.
<https://timesofindia.indiatimes.com/india/data-protection-law-coming-soon-to-tackle-
misuse-of-private-info-by-social-media-and-tech-giants/articleshow/60212900.cms>.
Ducklin, Paul. "Serious Security: How to store your users’ passwords safely." n.d. Naked
Security. <https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-
your-users-passwords-safely/>.
Goverment of India. "Digital India." n.d. Digital India. <https://www.mygov.in/group/digital-
india/>.
Goyal, Deepinder. "Security Update – What really happened? And what next?" 23 May 2017.
Zomato. <https://www.zomato.com/blog/security-update-what-really-happened-and-
what>.
10
—. "Security Update – What really happened? And what next?" n.d. Zomato. <
https://www.zomato.com/blog/security-update-what-really-happened-and-what>.
Iyengar, Rishi. "Privacy is now a right in India. Here's what that means for the tech industry."
August 2017. CNN. <http://money.cnn.com/2017/08/29/technology/india-right-to-
privacy-tech-industry-aadhaar/index.html>.
Kerner, Sean Michael. "Chipotle Breach Exposes Continued Point-of-Sale Cyber-Security
Risks." 30 May 2017. eWeek. December 2017. <Chipotle Breach Exposes Continued
Point-of-Sale Cyber-Security Risks>.
LastPass. "LastPass." n.d. LastPass. <https://www.lastpass.com/>.
Lord, Nate. "AN EXPERT GUIDE TO SECURING SENSITIVE DATA: 34 EXPERTS
REVEAL THE BIGGEST MISTAKES COMPANIES MAKE WITH DATA
SECURITY." n.d. Digital Guardian. <https://digitalguardian.com/blog/expert-guide-
securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data>.
Protiviti. "
https://www.protiviti.com/sites/default/files/united_states/insights/board_perspectives_-
_risk_oversight_-_issue_83_-_board_oversight_of_reputation_risk.pdf." 2012. Protiviti.
<https://www.protiviti.com/sites/default/files/united_states/insights/board_perspectives_-
_risk_oversight_-_issue_83_-_board_oversight_of_reputation_risk.pdf>.
PWC. "Proactively managing major data-breach risks." September 2017. PWC.
<https://www.pwc.com/us/en/cybersecurity/broader-perspectives/proactively-managing-
data-breach-risks.html>.
Rai, Saritha. "Asia FEB 8, 2016 @ 02:21 AM 17,135 The Little Black Book of Billionaire
Secrets Food Startup Zomato Is India's First E-Commerce Unicorn To Break Even,
Headed For Profitability." n.d. Forbes. <
https://www.forbes.com/sites/saritharai/2016/02/08/food-startup-zomato-is-indias-first-
unicorn-to-break-even-headed-for-profitability-by-mid-2016/#c2b067a4ba8f >.
Synopsys. "Synopsys." n.d. Synopsys. <https://www.synopsys.com/software-
integrity/training/software-security-courses.html>.
The Centre for Internet & Society. "Internet Privacy in India." 2016. The Centre for Internet &
Society. < https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-
privacy-in-india >.
Zomato. "Zomato." n.d. Zomato. <https://www.zomato.com/>.
11