Durex India leaks private customer order data

Durex India, the Indian subsidiary of the British condom and lubricant brand, has revealed personal details about its customers, including their full names and order details.

Security researcher Sourajeet Majumder contacted TechCrunch this week concerning the exposure of sensitive customer data on a condom manufacturer’s website.

The brand’s website revealed customers’ names, phone numbers, email addresses, shipping addresses, products ordered, and amounts paid. The exact variety of affected customers is unknown. However, the researcher found evidence that lots of of individuals had their information exposed resulting from a scarcity of proper authentication on the order confirmation page.

“As a brand dealing in intimate products, ensuring privacy is critical,” Majumder told TechCrunch.

TechCrunch verified Majumder’s findings and located that customer order details were still available online on the time of writing. As such, TechCrunch is withholding some details concerning the disclosure in order not to help malicious actors.

When contacted by TechCrunch before the publication of the article on the exposed customer data, Ravi Bhatnagar, a spokesman for Reckitt, the parent company of Durex, declined to comment or say whether the corporate plans to secure its customer data.

The researcher told TechCrunch that the data may very well be used for identity theft, and the contact details could end in unwanted harassment. Majumder said he also contacted India’s Computer Emergency Response Team (CERT-In) concerning the vulnerability, which confirmed receipt of his email.

“Customers whose data has been leaked may also fall victim to social harassment or moral scrutiny due to the data leak,” the researcher said.