In a concerning breach of privacy, Durex India, the Indian subsidiary of the renowned British condom and personal lubricants brand, has inadvertently exposed sensitive customer information on its website. The data leak includes customers' full names, phone numbers, email addresses, shipping details, product orders, and payment amounts.
Security researcher Sourajeet Majumder uncovered the issue and alerted TechCrunch about the vulnerability. The exact number of affected customers remains unknown, but evidence suggests that hundreds of individuals may have had their information compromised due to inadequate authentication measures on the order confirmation page.
TechCrunch independently verified Majumder's findings and confirmed that customer order details were still accessible online at the time of reporting. The publication has chosen to withhold specific details about the exposure to prevent potential misuse by malicious actors.
When contacted by TechCrunch, Ravi Bhatnagar, a spokesperson for Durex's parent company Reckitt, declined to comment on the situation or provide information about any plans to secure customer data.
The exposed information poses significant risks to affected customers, including potential identity theft and unwanted harassment. Majumder emphasized the gravity of the situation, stating, "For a brand dealing with intimate products, ensuring privacy is crucial." He also warned that customers could become targets of social harassment or moral policing due to the nature of the leaked data.
Majumder reported the security lapse to India's Computer Emergency Response Team (CERT-In), which acknowledged receipt of his email.
As of now, Durex India has not publicly addressed the issue or announced any measures to rectify the situation. Customers who have placed orders through the Durex India website are advised to remain vigilant and monitor their personal information for any signs of misuse.
This incident serves as a stark reminder of the importance of robust data protection measures, especially for companies handling sensitive customer information. As consumers increasingly rely on online platforms for personal purchases, the onus is on businesses to prioritize and safeguard user privacy.