On 14 October, when hackers breached the database of online grocer Bigbasket, it set off a chain of events that other startups have become only too familiar with over the past year.
As in the case of platforms such as concierge service Dunzo and edtech unicorn Unacademy, the breach was not brought to light by government agencies or established private cybersecurity companies. Instead, it came from a two-year-old cyber threat intelligence firm, Cyble.
The company, headquartered in Georgia, USA, has a simple modus operandi. First, it notifies the victim. In Bigbasket’s Bigbasket’s The Ken How did a bunch of 1999-vintage retail veterans become the largest players in India’s most lucrative e-commerce space, groceries? Read more case, offering to resolve the matter, albeit for twice as much as the $40,000 ransom being touted on the dark web. If the victim doesn’t enlist its services, the consequences effectively amount to public shaming.
When Bigbasket declined Cyble’s offer, choosing eventually to file a First Information Report with the Bengaluru Police cyber crime cell, Cyble went public with details of the breach.
Southeast Asian hotel aggregator RedDoorz RedDoorz The Ken RedDoorz: The unlikely David to OYO’s Goliath in Southeast Asia Read more knows this playbook well. Its own breach occurred well over a month before Bigbasket’s hack. On 19 September, Cyble informed the company of the hack, claiming hackers on the dark web were willing to trade massive amounts of its customer data. Cyble’s initial pitch was straightforward—it would help in retrieving the stolen data only if the company subscribed to its services for $140,000, alleged an executive who works closely with RedDoorz.
Like Bigbasket, RedDoorz declined to play ball. Still, Cyble persisted, telling the company that the data would be out for sale on the dark web in the next 72 hours, claims the executive quoted above. Having verified the hack did actually happen, RedDoorz chose instead to go public with details of the hack the next day, informing users and police authorities about the breach.
Despite this, Cyble took one last crack at pitching to RedDoorz, says the executive. It told the startup that it had bought the hacked data outright—about 5.7 million records in all—asking RedDoorz one final time if it would like to subscribe to Cyble’s services, says the executive quoted earlier.
The Ken has accessed a report the startup compiled for law enforcement agencies following the event. It raised two red flags—Cyble refused to disclose any details of the dark web source on which RedDoorz’ data was available.