In its updated Draft Red Herring Prospectus (DRHP), IPO-bound Swiggy reported that the food delivery aggregator experienced two cyberattacks leading to data breaches between 2022 and June 30, 2024. Swiggy acknowledged in the report that its platform and back-end infrastructure are susceptible to cyberattacks and security breaches, including social engineering, denial-of-service attacks, credential stuffing, ransomware, malware, employee errors, and malicious acts. Additionally, third parties may be able to access sensitive data.
Employee mistakes, misconduct, or errors in storing, using, or transmitting such data could lead to actual or perceived privacy or security breaches, or other incidents. The company also disclosed that as it grows and collects more data, the risk of significant failures in internal controls or data security measures increases, potentially resulting in breaches affecting more individuals and exposing Swiggy to greater liabilities, fines, and compensation claims.
Swiggy reported two potential data breach incidents for the three months ending June 30, 2024, and for the fiscal years 2024, 2023, and 2022. The first incident was detected in September 2022 during a technical infrastructure update, where some customers were able to view the last four digits of credit card details or parts of UPI handles of other customers. Although no complaints were filed and the incident had no adverse effect on operations or finances, Swiggy voluntarily reported it to the Indian Computer Emergency Response Team (CERT-In).
The second incident occurred in February 2023, when a former employee fraudulently gained unauthorized access to Swiggy’s test systems. The issue was flagged by the monitoring system, and the breach was limited to the testing environment. There was no material impact on operations or finances, and Swiggy promptly updated its policies for employees and former employees, as well as filed a police report (FIR) against the ex-employee.
Swiggy emphasized that future attacks cannot be ruled out, stating, “Our platform and back-end infrastructure may be vulnerable to cyberattacks and security breaches, including social engineering, denial of service, credential stuffing, ransomware, and other malware, employee error, and malfeasance, among other sources of disruption. Third parties may be able to access data.”
The company added, “Employee error, malfeasance, or other errors in the storage, use, or transmission of any of these types of data could result in an actual or perceived privacy or security breach or other security incident. Although we have policies, system controls, and checks to restrict access to the data we store, there is a risk that these policies may not be effective in all cases.”
As Swiggy continues to grow, the company highlighted the increased risk: “The more personal data we hold, the greater the likelihood that a significant failure in our internal controls or data security measures could result in a data breach affecting more individuals, which could expose us to greater potential liability through fines and compensation claims, significant reputational harm, and a loss of trust that could deter users from using our platform.”