Aditya Birla Fashion and Retail Ltd. (ABFRL) Hacked — All Data Leaked Online

One of the largest fashion and retail outlets in the world has been breached by a high-profile hacking group that goes by the name of ShinyHunters. The hackers exfiltrated data from ABFRL servers and then demanded payment. Now that negotiations have failed, ShinyHunters has published all of the data online, including 5.47 million email addresses. We have examined the data and obtained exclusive commentary from ShinyHunters for this report.

Update 1: Cybersecurity researcher Troy Hunt has now added the data from this breach to the Have I Been Pwned database. (January 14, 2021)

Update 2: ABFRL has finally acknowledged the data breach in an email to customers. (January 17, 2021)

Update 3: ShinyHunters has informed us that ABFRL’s fashion websites are still exposed and unsecured, despite the company’s claims that the problems are fixed. (January 18, 2021)

Aditya Birla Fashion and Retail Ltd. (ABFRL) is a large conglomerate retail outlet with 3,212 retail stores throughout India and over 22,000 employees. It is a subsidiary of the Aditya Birla Group, which spans numerous sectors and has annual revenues of $45 Billion.

Earlier today, the high-profile hacking group ShinyHunters leaked all of the data from its hack of ABFRL on an underground hacking forum. ShinyHunters is the same group that has hacked many other large businesses, including Microsoft, Tokopedia, Pixlr, Mashable, Minted, and more.

ShinyHunters explained that they have had access to the ABFRL network for many weeks

What data has been published?

ShinyHunters has now published private data from ABFRL that includes:

• ABFRL employee data (full name, email, birth date, physical address, gender, age, marital status, salary, religion, and more)
• ABFRL customer data and hundreds of thousands of invoices
• ABFRL website source code and server reports

Are you a customer or employee of ABFRL and have been notified of this data breach?

Please contact us here to provide additional details.

Negotiations failed, data posted online for free

The post and data are publicly available right now, and have been downloaded by others, but you need to be a member of the hacking forum to view the content. In the original post, ShinyHunters explained the rationale for releasing the data as follows:

We tried to get in touch with ABFRL. They sent a negotiator but he was just stalling (the offer was more than reasonable for a “US$ 45-Billion conglomerate”).
So we decided to leak everything for you guys including their famous divisions such as Pantaloons.com or Jaypore.com.

-ShinyHunters, January 11, 2022

Below is the original source of this leak documenting that we captured on the hacking forum.

The post above does not discuss the exact amount that the hackers requested for payment, or when exactly ABFRL was first breached by the group.

ABFRL data analysis

We have now obtained the data from ABFRL for our own analysis. The data is broken down into three large files and available for free.

Based on our initial analysis, we are seeing sensitive corporate data from many clothing brands that fall under the ABFRL umbrella in India. One batch of data that we have analyzed includes server logs and vulnerability reports for the following clothing brand websites in India:

• American Eagle
• Pentaloons
• Forever21
• The Collective
• Van Heusen
• Shantanu and Nikhil
• Planet Fashion
• Simon Carter
• Peter England

Another batch of data we analyzed contains financial and transaction information, with 21 GB of ABFRL invoices, including sensitive payment details, and customer information.

Update: ShinyHunters told us that they have extensive credit card data from ABFRL customers, specifically from Pantaloons.com, and this was communicated to ABFRL staff about two months ago. However, we are told that nothing has been done and it does not appear that anyone was notified about the breach.

ABFRL has not commented on (or denied) the breach

We contacted ABFRL’s press team to provide any comment on this story. So far, neither ABFRL nor the parent company, Aditya Birla Group, have commented on the data breach on any of their websites.

The parent company’s business reach spans many countries around the world. It is a large player in many industries.

We have not yet received any response, but will monitor the situation and update this article with any new information.

Potential impact of data breach for ABFRL employees, customers, and affiliates

With the amount of sensitive data in this release, many people could be impacted.

As we noted above, there is lots of private information that has already been released, including sensitive payment details. This puts ABFRL customers, employees, and affiliates at risk of:

• financial fraud
• identity theft
• phishing attempts
• social engineering attacks
• hacked accounts
• social security scams

As always, we recommend closely monitoring your bank statements, credit cards, financial information, email, and all online accounts for fraudulent activity.

Business model: Exfiltrate data, then demand ransom payment (without encryption)

Many people are aware of ransomware and the business model that goes with it. This involves hacking a server or network, encrypting the files, and then demanding a payout from the victim. This has been a popular attack for years as it encrypts files and prevents access with everything being encrypted with a private key.

However, we are now seeing a trend that does not involve encryption. In this new business model, a threat actor simply exfiltrates as much data as possible, and then demands a payment from the victim, with the threat of releasing all data should the negotiations fail.

Because the release of this data could be very expensive for a business, many are willing to negotiate a payment to make the problem go away and have the data deleted. This is particularly the case as we see class action lawsuits for data breaches and other long-term costs associated with networks and servers being hacked.

In short, it is often cheaper to pay a hacker to not publicly release the data than pay for the implications of the breach. Additionally, many hacking and ransomware groups will offer to assist the victim in patching security vulnerabilities that resulted in the hack.

ABFRL is ShinyHunters’ first big leak of 2022

As we noted above, ShinyHunters is a prolific and well-known hacking group. The hack of ABFRL marks the group’s first major release of 2022.

You can see other victims of ShinyHunters on the group’s Wikipedia page here. The group’s previous exploits include:

• Microsoft – 500 GB of Microsoft source code stolen and sold online
• Mashable – 5.22 GB of company and staff data
• Tokopedia – 91 million user accounts
• Pixlr – 1.9 million user accounts
• 123RF – 8.3 million user accounts
• Wattpad – 270 million user records
• Pluto TV – 3.2 million Pluto TV user records
• Animal Jam – 46 million accounts leaked
• WedMeGood – 41.5 GB of user data
• BigBasket – 20 million user accounts
• Dave.com – 7 million user accounts
• Couchsurfing.com – Data from 17 million users
• Dunzo – 11 GB of company data
• Nitro PDF – 77 million user records
• Bhinneka – 1 million user accounts
• Minted – 5 million accounts leaked
• ProctorU – 444,267 accounts
• Bonobos – Full backup database with 7 million customers and 1.8 million registered users
• Swvl – 4 million users
• Mathway – 25 million records
• Wishbone app – 40 million user records

Note: This list is not exhaustive.

We will continue to monitor the situation with the ABFRL hack and update this article as more information becomes available.