Flipkart’s Cleartrip suffers “massive” data breach

The outline of a Boeing aircraft with clouds and moon in the background
(Image credit: Getty Images)

The Indian online travel company Cleartrip revealed it has been affected by a data breach, which one security researcher described as “massive”.

The company said there had been a security anomaly that entailed illegal and unauthorised access to a part of its internal systems, it told customers in an email sent yesterday.

Cleartrip assured customers that aside from some details which are part of their profile, no sensitive information belonging to their account had been compromised as a result of the anomaly of its systems. The travel company said that customers could choose to reset their passwords as a precautionary measure.

“As per our protocols, we have immediately intimated the relevant cyber authorities and are taking appropriate legal action and recourse to ensure necessary steps are being taken as per the law,” the company stated in the email.

However, security researcher Sunny Nehra said that the company seems to have suffered a massive data breach. Nehra found that the threat actor posted a screenshot of the stolen data on a private forum to sell the data.

Nehra added that the breach is new and includes customer entries as well as internal company files. There are several files, including “B2C Customer Entries” and “09_India_hotel_sale”. The screenshot also appears to show that the hack may have taken place between April and May 2022.

“We have identified a security anomaly in a few of our internal systems,” a Cleartrip spokesperson told IT Pro. “Our information security team is currently investigating the matter along with a leading external forensics partner and is taking the necessary action. Appropriate legal action and recourse are being evaluated and steps are being taken as per the law.”

Cleartrip is a global online travel company headquartered in Mumbai which operates in India and the Middle East. It has offices in India, the UAE, Saudi Arabia, and Egypt. In April 2021, it was acquired by the Indian e-commerce giant Flipkart, which claims to have over 100 million registered users.

It’s not the only Indian company to be targeted by attackers recently, as a flood monitoring system in Goa was hit with ransomware last week. Cyber attackers demanded Bitcoin in return for decrypting the data after striking the Water Resource Department’s flood monitoring system with a ransomware attack on 21 June.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.