“On receipt of emails claiming unauthorised access into our database, we have appointed a leading international cyber-security firm to investigate possibilities of breach of some KYC data stored in third-party data warehouse systems.
“This morning, hackers put up a sample of our data on the dark web,” a company spokesperson stated. As a proactive measure, Upstox has implemented multiple security upgrades, especially at the third-party warehouses, 24×7 monitoring in real-time and enhanced ring-fencing of its network.
“As a matter of abundant caution, we have also initiated a secure password reset via OTP for all Upstox users. Upstox takes customer security extremely seriously.
“Funds and securities of all Upstox customers are protected and remain safe. We have also duly reported this incident to the relevant authorities,” the spokesperson said. The spokesperson further said that at this point, “we don’t know with certainty the number of customers whose data has been exposed”.
The broking firm is backed by renowned investors such as Tiger Global and Ratan Tata and has over three million users. Upstox co-founder and CEO Ravi Kumar, has stated on the company website that the funds and securities of users’ are safe.
“Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. “As a matter of abundant caution, we have also initiated a secure password reset via OTP. Through this time, we have also strongly fortified our systems to the highest standards,” he added.
He also stated that Upstox has implemented restrictions on the access to the database that has been impacted and multiple security measures are in place across all third-party data-warehouses.
The company has also scaled its bug bounty programs to promote ethical hackers in helping them test the systems and protocols to identify any possible vulnerabilities on a regular basis.
The company has requested users to always use strong passwords that are not easy to guess. The company has also requested the users to be aware of online fraud and to verify legitimacy of links and notify service providers about any such instances.