Aditya Birla Capital Digital (ABCD) has successfully restored gold lost to hackers and has completed a forensic audit following a significant breach that exposed vulnerabilities within its application interface protocols (APIs). This incident highlights rising concerns regarding cybersecurity in the digital finance sector.
On June 24, ABCD reported to the Mumbai Police’s cyber cell that unauthorized transactions involving ₹1.95 crore in digital gold were made from customer accounts without consent. An internal investigation revealed that on June 9, digital gold linked to 435 accounts was sold off by an unknown individual who hacked the API endpoint of the ABCD app.
Digital gold allows users to invest in gold without physical storage, with the commodity being secured in vaults. According to the FIR, the hacker managed to circumvent normal transaction protocols, facilitating sales of digital gold without the affected customers’ approval. Typically, customers must register their mobile numbers to buy or sell digital gold via the ABCD app, with sales requiring OTP (one-time password) verification. The funds from these unauthorized transactions were then diverted into various bank accounts.
Cybersecurity experts are increasingly alarmed by such breaches, which they suggest could become more prevalent among Indian companies. Lalit Kalra, partner and leader in cyber security and data privacy at EY India, emphasized that unsecured or misconfigured API endpoints pose a growing threat worldwide. Kalra stated, “From leaking personal data to enabling account takeovers, APIs have become a goldmine for attackers.” He noted that many modern data breaches occur not through traditional hacking methods, but via neglected APIs, often exposing organizations to serious risks.
The ABCD app operates under Aditya Birla Capital Digital Ltd, a wholly owned subsidiary established in March 2023, and was developed at a cost of ₹100 crore. The platform offers products related to credit, investments, insurance, and payments. In response to the breach, ABCD has implemented enhanced security measures, including advanced encryption and validation checks. A spokesperson for the company confirmed, “All our services on the platform are live and fully secure. We have proactively contacted all impacted customers and have restored their Digi Gold holdings to their respective accounts.”
Sidharth Mutreja, co-founder and CTO of cyber security firm RockLadder Technologies, indicated that cybercriminals often target API vulnerabilities in search of backdoors into systems. Despite an increasing availability of managed security solutions, weak encryption remains a prevalent issue contributing to global breaches.
Kalra further pointed out that as regulations like India’s Cert-In guidelines and the Digital Personal Data Protection Act become more stringent, companies face rising compliance costs, especially if their API endpoints are inadequately secured. He warned, “The costs, especially for smaller companies, can be crippling.” Cert-In mandates that companies report breaches, such as the ABCD incident, within a six-hour window to avoid governmental penalties.
As organizations confront the realities of digital security, this incident sheds light on critical vulnerabilities and the urgent need for stronger protections against an evolving threat landscape.
Original Source: https://www.livemint.com/news/digital-gold-hackers-struck-aditya-birla-capital-digital-weal-encyption-cyber-criminals-ey-india-data-privacy-11751192030975.html
Category :
Tags:
Publish Date: 2025-06-30 05:20:00
