JALANDHAR, Punjab—On February 6, a highly reputed Mumbai based diamond trading company sold a 4.51 carat round shaped diamond worth Rs 8 lakh at a discount of 40 per cent to a broker at 4:27 pm.
When the bill was being generated, an employee of the diamond trader entered all the details of the sale into a custom ERP software made for the company. And what neither party in this deal knew is that all the bill details, including the shape, size, quality, and price of the diamonds, were being uploaded to a cloud-based data dump.
This data was left unencrypted, and without any access control—you didn’t need to enter any username or password to read the details. Instead, anyone could find the files on the open Internet with just a little effort.
But it wasn’t just one diamond trader either. The ERP program, made by Fauna Technologies, had several other takers among India’s biggest diamond merchants. While the first sale was happening, another diamond merchant sold five round shaped diamonds of 5 carats each, worth Rs. 1.96 crores to a Mumbai-based buyer. Another company sold one round and two heart shaped diamonds worth Rs 42 lakhs to a Chandni Chowk-based jeweller in New Delhi.
All of this is just the latest data verified by HuffPost India, but what’s more surprising is the entirely lax response from all the involved parties.
Little to no security
Jewelry companies pay a lot of attention to physical security. But their data is not being treated in the same way. All the companies whose data was being exposed are located inside Mumbai’s Bharat Diamond Bourse, one of the largest and the most sophisticated diamond trade centers in the world, situated in the Bandra-Khurla complex.
It opened in 2010, and the BDB now has over 4,000 members engaged in import and export, manufacturing and marketing of rough and polished diamonds. In 2017-18, BDB reported total imports of Rs 1,48,383 crores, while the exports were Rs 165,932 crores.
It’s big business, but the companies don’t seem to be willing to accept that there could be data leaks. This particular leak was discovered by Banbreach, an Indian cybersecurity company, but its report wasn’t taken seriously.
“The data reported to be leaking is only of those companies who are using an Enterprise Resource Planning (ERP) software ‘Diamond ERP’ designed and configured by Fauna technologies. The software is uploading real time entries of all sale and purchases on the cloud server which was not protected by any login ID and password,” Suman Kar, CEO of Banbreach told HuffPost India.
Kar tried to report this information to the companies, but met with no success, and when he tried to contact Fauna Technologies, he found its website was defunct. Despite attempting to contact the companies for a month, Kar said he received no response.Later, he also alerted CERT-IN, the national nodal agency for responding to computer security incidents as and when they occur.
“Since anyone could access, and run commands on the server, an attacker could have easily deleted reports or, in the worst case, shut down the ERP system impacting all concerned businesses,” said Kar.
Who is Fauna Technologies?
There was one big problem with this—Fauna Technologies, which provided the software to these diamond traders, had shut down and its CEO Purav R Choksi, wasn’t providing tech support anymore.
Choksi—no relation to infamous fugitive jeweler Mehul Choksi—is now working towards spiritual healing. His focus is pranic healing and arhatic yoga, and his Twitter account shows how dedicated he is to the practice. Aside from that, he said he is planning on developing apps, and also dedicates his time to tweeting in support of PM Modi and the BJP.
Before starting Fauna Technologies Choksi worked as the Web Manager for Venus Jewels for seven years, until late 2007. In January 2008, he launched Fauna Technologies, and provided technology solutions for a number of diamond sellers.
Speaking to HuffPost India on the phone, he confirmed that his company had provided software to the diamond traders, but then said that his contract with them ended a few years ago. Choksi added that he wasn’t sure how he could help them anymore.
“We took all measures to provide a foolproof software for the diamond merchants to carry out their business transactions in a secure environment. Our contract with the companies got over many years ago. I am not aware about the ERP solution they are using at present.” said Choksi.
When HuffPost India verified Banbreach’s findings, the unsecured server with the billing data was on the domain of the Fauna Technologies website.
“The data reported to be leaking is only of those companies who are using an Enterprise Resource Planning (ERP) software ‘Diamond ERP’ designed and configured by Fauna Technologies. The software is uploading real time entries of all sale and purchases done by these companies.”
Thousands of bills, publicly accessible
On this site, HuffPost India was able to verify that the ERP system generates thousands of reports every day. The publicly accessible interface of the ERP’s reporting software lists the last 1,000 such reports. Additionally, the most recent 10 reports have hyperlinks to the actual reports.
“All breaches though common are important to report to enforcement agencies. In this case, neither the diamond merchants nor the security expert have approached us. We can investigate the matter only if we receive any formal complaint by any of the two,” said Brijesh Singh, IG (Cyber Crime), Maharashtra Police.
According to Banbreach’s Kar, the leak is showing real time sale and purchase of diamonds worth crores every hour. The reports uploaded by companies of some of India’s renowned diamond merchants also showed the date and time of purchase and description of diamonds including the colour, carat and their prices.
Some reports also mentioned the name and contact number of broker and his commission paid in cash by the companies. The reports also had delivery challans which carried the name and details of the consignee, his address, and details of diamond goods including their quantity, weight in carats and value in US dollars and Rupees.
However, when contacted by HuffPost India, the companies did not believe that their software was compromised. “The data must have been hacked by someone. It cannot get uploaded and leaked anywhere else as we have our own ERP Software,” Amar Sangvi, head of sales at Kumar Jewels told HuffPost India over the phone. Some of the other companies responded similarly when presented with their latest bills, but most simply refused to discuss the matter over the phone.
Banbreach’s Kar said that Fauna Technologies should have at least mandated a password, if not multi-factor authentication to access these reports. Additionally, they should have also isolated physical storage of these reports. They could have also encrypted the documents, but owing to the low awareness of cyber security in India, none of these basic steps were taken.