Restaurant and food delivery app Zomato has confirmed that it has been communicating with the hacker responsible for stealing the data of around 17 million of its customers.
The company, which claims to boast over 120 million users, confirmed that information including email address and hashed passwords had been compromised, but insists data relating to payment information had been stored separately in a secured PCI Data Security Standard compliant vault and that no credit card data had been stolen.
Zomato’s reaction was to make a pledge at plugging potential gaps in its security of user information, while also adding a layer of authorization for internal teams to avoid the possibility of a human breach.
Hours after confirming the attack, Zomato released an update stating that it had opened “a line of communication with the hacker who had put the user data up for sale”.
It continued by stating that the hacker had been “very cooperative” and claimed he wanted the company to acknowledge security vulnerabilities in its system.
On request of the hacker, Zomato is set to run a bug bounty program on Hackerone, in a deal that will see all copies of stolen data destroyed and taken off the dark web marketplace.
It added: “This incident has made our team’s commitment to addressing all our security issues in a responsible and timely manner even stronger. We look forward to working more closely with the ethical hacker community, to make Zomato a safer place for our users.”
The emergence of an “ethical hacker” in the Zomato data breach is in stark contrast to that of other recent attacks across the world over recent weeks, although it does nevertheless further emphasize the importance of ensuring that software is kept up to date.
The failure to keep software updated has been cited as a root cause of several high-profile hacks, with some experts even labelling it as one of five “basic security mistakes”.
