Here is an incident that makes me to think how the consumer data that one might think may be secure in a business using a powerful and secure cloud may not be really secure.
In Sept’2011 , I had booked two tickets through Redbus.in and then had to cancel them for which Redbus.in offered me cash coupons instead of refunds for cancellations . The cash coupons are an 8 digit number that one can use again to book a ticket on redbus.in . My coupons are valid till March’2012. So, yesterday, I wanted to use the valid coupons to book two tickets on their website and I got a coupon invalid/expired error. I then immediately contacted their support and I was surprised to know that some one else had traveled to Bangalore using my coupons. The first support staff promised me to get back to me on this and he never got back after an hours time. I called them again and the second support staff looked in to the issue and said that my coupons indeed has been misused and that I should email Redbus.in support to resolve this as he couldn’t help.
At the outset, it occurred to me this is a clear indication of a data theft. How could some one else ,an outsider would know about the coupon details that was generated by the system and emailed to me ? Only an insider who has access to the customer transactional data would really have access to this.
Just imagine the fact there are several thousands of people booking through Redbus.in and cancelling and what if hundreds of misuses like this happen. For instance,As of now, I am unable to use Rs 3820 value of coupon or ~ USD 75 . Imagine the losses for 10,00 or more such incidents potentially!
Take away :-
Even the most secure of the clouds may not guarantee the security in a business. People aspects,business practices and a proper Governance are critical to making the information really secure.
Redbus.in with the funding of leading global VCs have been operational now and seems to be mature at the outset. But incidents such as this and their own personnel casually reporting that cash coupons have been misused asking me to escalate the matter really reflects the real dark picture of the business inside. This may sound like a simple matter @ $75 misuse, But this should be a wake up call for any businesses who intend to migrate their business over to the cloud to think beyond technology and related aspects otherwise the risks may be higher both for the business and its clients.
As I am writing this para, Redbus.in support team has acknowledged my email sent yesterday and I hope they resolve this soon and its management take a note of an issue like this seriously from a public consumer perspective as there is a potential to commit fraud at a huge level given the transaction volumes envisaged in a business such as this.