Upstox, one of the largest discount broking firms, recently suffered a security breach of its systems, resulting in the exposure of its customers’ sensitive information.

Though Upstox did not specify how many of its users’ data was compromised, media reports suggest at least 25 lakh customers data were breached.

Upgraded system

The leaked information includes names, email addresses, dates of birth, bank account information, and about 56 million know your customer (KYC) documents pulled from the company's server.

Following the incident, Upstox issued a clarification, stating: "We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorised access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems."

The firm’s co-founder and CEO, Ravi Kumar, stated on its website: "We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories.

As a matter of abundant caution, we have also initiated a secure password reset via OTP." The broking house has also immediately restricted access to the impacted database, added multiple security enhancements at all third-party data-warehouses, set up real-time 24x7 monitoring and ring-fenced the network.

SEBI mandate

The Securities and Exchange Board of India (SEBI) has mandated that all market intermediary institutions such as exchanges, depositories and brokerages adhere to its guidelines from April 1, 2019.

It asked exchanges and brokerages to identify critical IT assets and risks, protect these assets by deploying suitable controls, tools and measures, detect incidents, anomalies and attacks through appropriate monitoring tools/processes; respond by taking immediate steps after identification of the incident, anomaly or attack and recover through incident management and other appropriate recovery mechanisms.

SEBI had also directed stockbrokers and depository participants to identify critical assets based on their sensitivity and criticality for business operations, services and data management. "To this end, stockbrokers/depository participants should maintain up-to-date inventory of its hardware and systems and the personnel to whom these have been issued, software and information assets (internal and external), details of its network resources, connections to its network and data flows," the markets regulator said.

SEBI, in its annual report for 2019-20, has acknowledged the threat of cyber-attacks that could compromise the confidentiality, integrity and availability of computer systems, networks and databases in the markets ecosystem.

To address the issue, the regulator plans to establish a cyber security fusion centre or a cyber lab as part of its structure for monitoring cyber security-related events in the securities markets and is taking actions in the interest of protection of the securities market. The three-tier structure would strengthen the cyber security preparedness or resilience of the entire securities market ecosystem, it believes.

Despite all these steps, the hacking incident has revealed the vulnerability of our market institutions.

Though Upstox was quick to address and fix the issue, it also gave a wake-up call to all intermediaries and market infrastructure institutions to strengthen their cyber security team.

SEBI should also come out with dos and don’ts after studying this case in detail to make our market infrastructure robust and foolproof.