Famous Indian brands exposed in massive marketing firm data leak


Customers of Swiggy, Redbus, Nykaa, BigBasket, TataMotors, ICICIPruLife, Axis Direct, and other brands in India have been put at risk. Cybersecurity neglect resulted in a tremendous amount of their personal data being exposed.

On February 12th, the Cybernews research team discovered a publicly accessible Apache Kafka Broker belonging to India-based marketing analytics firm Gamooga.

The company provides insights into the customer's habits and activities, in order to construct successful marketing campaigns.

The open instance contained sensitive data from multiple well-known India-based brands and their customers, including banking service providers, insurance agencies, e-commerce stores, entertainment apps, and educational institutions.

bus traveller information
Bus traveler information, including destinations

The data was accessible for more than a year, allowing anyone to connect to it and receive customers’ sensitive data in real-time, with the private data of at least a million users being leaked.

The data leak is extremely dangerous, not only for the sensitive data made public but also for its massive scope. Gamooga claims that it tracks over a billion users, which would constitute two-thirds of India’s population or one-eighth of the world’s population.

Nykaa data
Information from Nykaa, including customer PII

Another big cause of concern is that the companies affected by the leak have not clearly stated in the privacy policy that customers' data is accessible to third parties for marketing purposes, which might potentially violate India’s data protection laws.

Cybernews contacted Gamooga, and the company secured access to the data. An official comment from the marketing firm and the affected companies is yet to be received.

Some of the well-known brands affected by the leak include:

  • Nykaa (Beauty products)
  • Swiggy (Food delivery service)
  • BigBasket (Online grocery store)
  • TataMotors (Indian multinational automotive company)
  • ICICIPruLife (Life Insurance products)
  • CaratLane (Jewellery retailer)
  • AxisDirect (Demat and Trading services subsided by Axis Bank)
  • Redbus (Online bus ticket booking service)

Tremendous amount of data

Kafka is a distributed message streaming platform that’s used to handle large amounts of data in real-time. Brokers are the servers in Kafka’s architecture for managing the storage of data records and transferring the data from one system to another.

Full list of leaked data:

  • Email addresses, names
  • Purchase history
  • IP addresses
  • Phone numbers
  • Dates of Birth
  • Order delivery dates
  • Insurance information
  • Partial payment information
  • Device information
  • User locations
ICICI PruLife
Data from ICICI Prulife, including user device information, tracking IDs

During the investigation, the Cybernews research team collected over 40 million requests sent in real-time by the unprotected Kafka Broker, totaling 17GB of private data in only two hours. If threat actors had dedicated more time to collecting this information, they could have harvested significantly larger volumes of sensitive data.

The set of requests collected by the researchers contained the sensitive information of at least one million unique users. Over the entire period that the broker was publicly accessible, the total number of such requests could have soared to 200 billion.

BigBasket data
Order information from BigBasket
Credit card data
Credit card information

Putting customers at risk

The leaked data would be invaluable to data brokers, law enforcement, government, intelligence agencies, and malicious actors to spy on individuals, obtaining insights into people’s activities, behavior, and location.

Insurance provider
Information from an Insurance provider

If accessed by the threat actors, the data could be used to cause significant damage to companies using Gamooga’s services. The leaked data poses serious cybersecurity risks, such as identity theft, spamming, doxxing, phishing, intimidation, blackmail, and manipulation.

Tatamotors emails
Emails sent by TataMotors

Not stated in the privacy policy

The Cybernews research team reviewed the privacy and cookie policies of the companies whose user data was found to be transmitted by the exposed Kafka Broker.

None of the companies disclosed that user data is shared with Gamooga for marketing purposes. Some of the policies disclosed the use of third-party marketing partners but have not specified what data has been shared and how it is used.

caratlane customers informatio
Caratlane customers and web requests

Similarly to Europe’s GDPR and California’s CCPA, India is in the process of adopting its own data protection laws – the Digital Personal Data Protection Act, 2023 (DPDPA).

According to the act, businesses need to obtain consent from their users before they can process their users’ data, state for what purposes the collected data would be used, and allow users to revoke consent.

The fact that the companies have not stated that user data has been shared with Gamooga may be considered a breach of DPDPA.

banking apps gamooga
Information gathered from banking apps