CERT-In Issues Advisory for OnePlus Data BreachCautions 3000 Indian Users about Influx of Spam and Phishing Emails
About 3000 Indian customers' credentials were exposed in the OnePlus, a Chinese Smartphone manufacturer's data breach, where hackers had accessed customer data. CERT-In has issued an advisory on the breach while cautioning users about the influx of spam and phishing email owing to the incident.
A staff member of the security team at OnePlus revealed the breach details on the evening of Nov. 22, as its team discovered that some users' order information was accessed by an unauthorized party.
In a statement, OnePlus acknowledged that hackers had accessed some of its customers' order data, but claimed payment information, passwords and accounts "are safe."
The Indian Computer Emergency Response Team stated that all the affected users have already been notified by email. It cautioned users about the influx of spam and phishing emails as a result of this incident and they need to stay alert against these kinds of mails.
OnePlus stated that it has informed users by email and is working with the relevant authorities to further investigate this incident.
How It Happened
OnePlus maintained that while monitoring its systems, its security team discovered that some of its users' order information was accessed by an unauthorized party and all payment information, passwords and accounts are safe, but the name, contact number, email and shipping address in certain orders may have been exposed.
The statement said that the breach happened through the OnePlus website, perhaps the online store, rather than its phones.
OnePlus, which is still in the process of shifting its data to Amazon Web Services India servers from Singapore, faced a data security breach in 2018 as well. where over 40,000 customers were affected, resulting in the exposure of bank card details, reports Economic Times.
The incident follows the recent WhatsApp snooping incident, where at least two dozen Indian journalists, activists, lawyers and academics were targeted for surveillance. The Indian breach was reported after WhatsApp sued NSO Group, accusing it of helping break into the phones of 1,400 users across four continents.
CERT-In has further advised users to not click on any attachment or URL contained in an unsolicited email, even if the link seems benign, and recommends users to change their OnePlus account passwords.
"The data potentially stolen, like your name and address can't be easily changed," points out ethical hacker John Opdenakker to Forbes. Among the risks of this data being exposed, criminals can use this information to create phishing mails that appear legit, he says.
Worse, he warns, the kind of information stolen can also be abused to impersonate you and gain access to other accounts.
Cyberlaw expert Pavan Duggal informs Economic Times that users will have to start incorporating cybersecurity as the way of life, and will have to be careful and exercise due diligence.
"If any user finds the data is gone, then he/she can sue the company for unlimited damages under Section 43A of the IT Act. Also, the user can file criminal charges against the company because when the user gives the data, the law requires intermediary to hold the data in trust," Duggal added.
As a legal course of action, Vicky Shah, Advocate and cyber law practitioner says, users affected can claim damages subject to that they are able to justify the loss arising out of the same.
"The IT Act is capable of covering the same and a redressal mechanism is available," says Shah.
One Plus confirmed that its team is continually upgrading its security program and will be partnering with a security solutions major next month in launching its bug bounty program by the end of December.