You are reading it here first: At least a hundred Indians interested in buying the PlayStation 5 might have to shell out more than just money. Reliance Digital took out a pre-registration survey of people who were interested in purchasing the game console, but in the process, left their names, email addresses and phone numbers exposed. Reliance Digital took the survey down after MediaNama reached out to them asking if they were aware of this. The company did not respond to our queries.
At the time of publishing, more than 800 people had taken the survey, and MediaNama could see personal details of around a hundred people. The survey was being run on a Google Form, and after taking the survey, an option popped up to see others’ responses. When we clicked on the option, the webpage was redirected to responses submitted by other participants in the survey, where their personal details were displayed. It was also possible to see user details as Reliance Digital appears to have “published” responses to the form by having lax privacy settings on the form.
Aside from exposing users’ personal data, the survey webpage also exposed commercial data on the demand for the PlayStation 5 hardware, software and peripheral devices. This included details about when people are likely to purchase the device, when it eventually launches in India, the additional accessories people are likely to purchase, and whether they will buy a PS Plus membership, which allows for multiplayer gaming on many titles.
Some examples of the kind of commercial intelligence data that the survey left exposed:
In response to our queries, a Sony spokesperson sent us the following statement:
“Thank you for bringing this to our notice, we have shared this information with Reliance to take necessary action. Sony India follows strict privacy protocols to safe guard its customer data.”
Poor data security practices
This is not an isolated instance where data of Indians was left exposed owing to poor data security practices adopted by companies:
- Earlier this month, data of over 2 crore BigBasket users, including their names, email IDs, password hashes, pin, and contact numbers, among others, was leaked and is being sold on the dark web.
- In October, PTI was hit with a ransomware attack that forced the news agency to suspend its publishing services for several hours.
- In August, a breach at ticketing and travel website RailYatri exposed details of over 700,000 users. The leaked details included sensitive details such as travel itineraries, and financial data such as credit and debit card information and UPI Ids.
Aroon Deep contributed reporting.
*Update at 7:24 PM: Updated with statement from Sony’s spokesperson.