Just a day ago, many of the customers of the Flipkart-owned Cleartrip travel booking platform received an email. The letter said concisely, “This is to inform you that there has been a security anomaly that involved illegal and unauthorized access to a portion of Cleartrip’s internal systems.”
“We are fully aware that this would be of concern to you. We would like to assure you that, other than some details that are part of your profile, no sensitive information regarding your Cleartrip account has been compromised as a result of this anomaly of our systems. for resetting your password as a precaution.”
The letter went on to say that the company intimidated the police and cyber authorities.
Data breaches, in these days of massive hackers, are unfortunately not uncommon. And the hotel sector, for obvious reasons, is the most targeted. We recently saw the Marriott hotel chain being the target of a sinister hacking incident. A recent report said that nearly half of companies have experienced a data breach in recent years around the world. And India is the 6th biggest data breach country, and Indians lose 3.8 data points per data breach while the global average is just 2.3.
Most Indian companies hide things from customers
All of these things clearly point to the fact that what happened at Cleartrip, while troubling, is not out of the ordinary. But what made matters worse is the way Cleartrip has been doing to keep affected customers in the loop. In the letter, Cleartrip did not mention when the breach occurred, the number of customers whose data was compromised, and what exactly the data was breached. The letter from the company totally reticent in all these respects. It just asked its customers to get a new password.
This approach is less professional. Well, global companies go out and explain when and what happens with a data breach. For example, in the Marriott hack, the company released information that unknown threat actors stole 20GB of data from its servers. Hackers also tried to extort Marriott, but the company refused to pay a ransom fee for the safe return of data.
in Cleartrip’s case, the company’s marked reluctance to convey the information it has a duty to share reflects the prevailing mindset among many Indian companies. They often prefer to push things under the rug rather than explain things honestly and truthfully.
For the record, this is the first data breach that has come to light since instructions from the Indian Computer Emergency Response Team (CERT-In) went into effect at the end of June. Its instructions require companies to report cybersecurity incidents to CERT-In within six hours of discovering the issue. (But no information is available when the data breach occurred.)
This is not the first time that Cleartrip has suffered a breach of its systems. In 2017, a hacking group called Turtle Squad defaced their website after gaining unauthorized access.