Breach
Page 11
This contributed to the hype, and the late nineties boasted an atmosphere of optimism and growth around the Internet. But it was a party that was celebrated way ahead of its time. The reality of Internet penetration and adoption in India wouldn’t quite match the hype for many, many years, for more than a decade into the mobile revolution. The number of Internet users in the country at the end of 1998 was just about a million.1 An Internet connection was still an expensive proposition, a luxury limited to certain pockets in the country. The number today is nearer to 400 million.
The connections themselves were painfully slow, but none of these realities stopped entrepreneurs from starting businesses in a bid to be early in the gold rush that they were sure was just around the corner. The idea that from working as a cog in a corporate wheel, anyone could control the rudder to their own destiny made entrepreneurship aspirational, and many hopped on to the bandwagon.
That made the hype machine work at full tilt. At the turn of the millennium, there were full-page advertisements peddling online businesses on the front page of national newspapers. A-list celebrity-fuelled sixty seconders were being shown on prime-time television by companies.
Among the many names that popped up in this orgy of entrepreneurship fuelled by the Internet, there was none more symptomatic of the boom-bust cycle than Home Trade, which started as a financial services portal. In what was perhaps the most high-octane advertising campaign India has seen, they hired three of the highest paid celebrities of that era—Sachin Tendulkar, Shah Rukh Khan and Hrithik Roshan—and advertised ad-nauseam on prime-time television and on prime content like cricket. Not too many viewers really had much of an inkling as to what they were about or how they were making money.
The dotcom bust of 2000, combined with the aftermath of the 11 September attacks on the United States in 2001, slowed the momentum and triggered collapses of first-generation Internet businesses all over the world. India was not shielded from any of this. Many names that rode their luck on hype and pointless advertising shut shop. The absolute low point of that era in India was the Rs 400 crore scam of Home Trade. The company was hyped as one of the poster boys of new millennium businesses.2
A small group of companies including Naukri,3 Bharat Matrimony4 and Indiamart5 which solved India-specific problems managed to emerge from the bloodbath. These companies got bruised but managed to survive. They had to cut their spending and lie low to concentrate on profitability rather than on growth, but the worst of that era was behind them.
The irony was that businesses like Indiamart were not even remotely touted as ‘poster children’ of the first wave of India’s Internet entrepreneurship. However, there was a real business at the end of the ‘dotcom’ for them. They made money running actual businesses rather than burning money senselessly on advertisements perpetuating a scam.
The actual amount of money they made was still minuscule. Just before the turn of the millennium, in 1999, Indiamart reported a revenue of Rs 1 crore and a profit of Rs 10 lakh.6 That may not sound like much, but it was one of the earliest instances of a company making money running an Internet-based business in India. By the end of March 2002, Indiamart clocked Rs 3.25 crore in turnover. By 2006, their revenues grew nearly six times to Rs 18 crore, with more than Rs 6 crores in profits. The Agrawals had managed to do something pretty much all entrepreneurs strive for when they start their individual journey. They helped move the needle on a real, pressing problem while creating a self-sustaining company in the process.
The Internet revolution returned to the Indian shores with full force on the back of newer start-ups a few years later. Having seen the success of Bengaluru-based Flipkart in increasing the number of people who transacted online, the Agrawals decided to take the plunge into e-commerce. Tolexo was an obvious evolution from Indiamart and was imagined as a platform that would enable B2B transactions—an e-commerce site exclusively targeting businesses rather than consumers.
It sounded like an obvious opportunity, in theory. Widespread adoption of consumer e-commerce was going to be the foundation for Internet-based B2B businesses. There were precedents of consumer businesses influencing and changing business behaviour, and this could do the same. It was presumed that the Indian B2B e-commerce market was one that was bound to grow on the back of the strong consumer Internet story.
The company was initially housed within Indiamart’s seventh floor office in the Advant-Navis Business Park, midway between the Delhi suburbs of Noida and Greater Noida. They have since moved office to another part of Noida, but continue to be closely linked. Indiamart owned the e-commerce platform outright. Tolexo was a natural extension of Indiamart. The company would move from merely connecting sellers and buyers to enabling them to transact on a platform, think Alibaba for businesses. They believed they would have a head start over competitors because of Indiamart’s learning and deep understanding of the market gleaned over two decades.
There was the promise of big rewards. The business-to-business market they engage in is one of those massive opportunities that even has the potential to dwarf consumer-led platforms. Globally, business-to-business e-commerce is estimated to be twice as big as consumer e-commerce, and is pegged at a whopping $1.7 trillion. In India, the numbers in B2B e-commerce are still nothing to write home about and the category is in its infancy at best. That is what a new crop of companies like Tolexo and IndustryBuying were seeking to change.
* * *
The news of customers getting defrauded due to a data leak was a problem that had the potential to nullify any advantage that Tolexo had from being an early entrant. Most companies and their sourcing departments tend to be conservative when it comes to signing off on newer partners, and anything less than complete assurance of confidentiality on their dealings could invariably lead these B2B customers far away from start-ups like Tolexo.
Agrawal had to react fast. But where would he start? What bothered him was he didn’t know exactly how big the breach was. Was it only limited to incomplete orders, as it seemed at that point, or did the malaise go deeper? Agrawal called the company lawyer, Danish Ali Khan, and tasked him with immediately collecting evidence of what was happening so that this could be reported to the police with everything in place. Agrawal knew that going to the cops was not an easy step. They had to prove that a crime had indeed been committed and that they had a watertight case.
Going to the cops was an unusual step as most companies that face issues of data theft prefer dealing with it internally. Many companies who are victims of data theft refrain from involving the police due to a fear of reputational damage, but Agrawal was determined to get to the bottom of this defrauding of his customers.
It was also important to plug the leak that was resulting in the company data being used for fraud. Khan, whose specialization in college was intellectual property and cyber law, had been a part of Indiamart’s legal team for many years. He was particularly experienced in dealing with cases where people would list fake products of well-known brands, infringing IP, and look for distributors. It was a common occurrence—think fake Nike sneakers or a fake pair of Levi’s. Khan was also used to policing the site to combat the listing of banned narcotics, including cocaine.
Khan quietly started piecing the circumstances that led to the breach. The progress of his investigation had to be kept a secret, lest it spook the perpetrators. He started by looking at the modus operandi in granular detail and reached out to some of the customers to understand exactly what had happened. He collected the numbers they had got the calls from, as well as the account number to which they had been asked to make the payments.
The biggest clue that would eventually help him find the culprit behind the breach was the stage of the buying process when the customers had got the calls. There were only a few who had access to information on abandoned carts, and this information is strategically important to e-commerce firms. After all, these were customers who almost completed the buying process before abandoning the transactio
n. They probably changed their mind or, as it happens often enough, the payment didn’t go through because of technical issues with the payment gateway. Whatever the reason, their products remained in the cart.
No matter what the reason for non-completion of the buying process, the act of adding to the cart signalled intention to buy. Converting someone’s intention to buy into actually buying the products is easier (than exhorting a fresh customer to buy) and profitable for companies like Tolexo. It’s the same theory that most e-commerce players use when they notice users browsing but not buying. The cookies they have installed track users and what they browse, and in case the buying loop is not closed (and in some cases even if it is), ads with details of the product pop up, whichever site the user is on. The idea, called re-targeting, is always to convert intent to buy into actual transaction.
This was why firms have abandoned cart teams. Many e-commerce firms engage these teams to follow up on unfulfilled orders. Tolexo too had one such team. These teams were made up of a group of specialized customer service representatives who would receive automated alerts on their email detailing orders that were not completed. They would then call up and ask if the customer needed any help completing the order and in case they did, the customer service representatives would handhold them through this process. This is standard operating procedure, especially when dealing with orders for products of larger ticket size.
Khan realized that whoever was behind the fraud was aware of this procedure. Judging by the comprehensive conversations that the customers had with the perpetrators, the information could have only come from the automated emails that were sent to the abandoned cart team. The calls, he figured, could not have happened without someone having access to detailed information about the products the customers were browsing. But was it an inside job—someone surreptitiously making the calls from the office—or had someone outside the organization gained access to these emails?
The first step to ascertain this was for Khan to identify those employees who had access to incomplete orders. He made a list of the persons who had access to the database and were getting emails with the relevant information. The next step was to comb through the activities on each of their email IDs.
The search revealed an anomaly almost immediately. There was traffic coming into one of the email IDs from an unknown IP address (an Internet protocol address is a unique number assigned to every computer connected to a network), outside of and unknown to Tolexo. What with working from home on the rise, Tolexo too, like many companies, had enabled their employees to access their emails from home. Even accounting for that, the pattern of traffic to this email ID was unusual. Simultaneous logins to this ID pointed to its having been accessed from outside the establishment even while the employee in question was in office. Khan immediately blocked external access to emails for most of the employees.
The email ID in question belonged to the manager of the abandoned carts team, but he was deemed unlikely to have been the perpetrator. He had been with the company for a long time and was trusted within the system. Khan called the manager aside for a quiet word with him.
He learned something in that conversation that surprised him. Within these teams, the sharing of passwords to their official email IDs was normal. They rationalized this practice by citing their intention—which sounded noble—to ensure that all emails were attended to even when they themselves were not in a position to do so, such as when they were out to lunch or had taken the day off. It was a small way in which the team members had each other’s back. It wasn’t perceived to be the negligent practice that it was. The manager confessed there were others in his team who had access to his password, including some who had quit the job.
It could be this password, which was on the loose, that was being used to access his email. Information that was trickling into that ID was then being used to call unsuspecting customers.
Khan and the rest of the team at Tolexo had a few suspects in mind, but before they could follow up on any of them, Khan needed further evidence to make the case watertight.
Khan had collected the telephone numbers from which the customers had got the calls. He tried using tools like Truecaller to see if that could help lead him to the owner of the numbers. That didn’t yield any result. In a country like India where new telephone numbers can easily be obtained using fake identification papers, criminals often buy and discard numbers even before online tools like Truecaller—which work on assigning names to numbers based on how they are saved across multiple address books—can get a whiff of them.
The other lead that Khan had that could help triangulate the perpetrator of the crime was the bank account numbers which were shared with the customers for the money transfer. The account numbers shared with the victims of the fraud belonged to two banks—ICICI Bank and Axis Bank. But to find the owner of the account numbers, Khan would have to go through the cops and get the banks to disclose the details, as was the process mandated by law. That was the only way banks would share details of the accounts held with them. But going to the cops was going to bring with it a completely different set of problems.
* * *
The discovery that there was someone accessing the manager’s mail from outside the office laid bare the modus operandi, but the perpetrator was still unknown. Khan reached out to Delhi police and filed a complaint online, but there was little by way of action for nearly two weeks. Khan received a message saying the cops would be attending to the complaint within seven days, but that never happened. Frustrated by the lack of progress on his complaint to the Delhi police, Khan decided to go to Noida’s cybercrime police station and register a complaint there.
He had already done much of the work that would make the investigation easy for the cops and help them nail the fraudster, but getting an already overworked police force to work on the case was a wholly different matter.
All this meant that Khan and Agrawal had to do it the old-fashioned way, by putting constant pressure on the cops by talking to their seniors. Khan decided to be physically present at the station to make the case progress past the registering of the complaint. Even then he had to sit with the cops at the station persistently for nearly two weeks in mid-August 2016, from 9 a.m. to 6 p.m., to get the investigations underway.
As Agrawal points out, it should not be that difficult for cops to figure out phone records or bank details. If anything, it should be easier for them to crack such cases because criminals such as those who stole the data from Tolexo just aren’t that well versed in covering their digital tracks. They didn’t ask for payment in the difficult-to-trace crypto-currencies. All that was required was for someone to make a couple of calls, furnish a warrant and pull up records that would take them to the perpetrator.
Khan got the cops to forward a request to cellular phone service providers to share the details of the numbers the perpetrators had called from. He also went with the police to the banks where the perpetuators held their accounts. They now had the names and details of the likely perpetrators. The records from the banks led them to an address in Shakarpur, a densely populated locality across the Yamuna from New Delhi.
Armed with the evidence, Khan, along with three policemen, went to the address and knocked on the door. A few seconds later, the door opened to reveal a sparsely appointed, and, according to Khan, a rather filthy looking room. Inside, there were three young people sitting around and drinking beer. It was 10 a.m. on a weekday.
There was nothing much by way of furniture in the room. There were a few phones and SIM cards lying around. Khan’s eyes almost immediately went to a bundle of papers in a corner of the room. These were printouts of Tolexo data filled with customer information. It was the very definition of incriminating evidence.
There were also identification papers such as PAN cards and driving licences—which would later prove to be fake—strewn around in the room. It would later be found that these IDs were used to get the SIM cards used in the scam.
Reco
llecting the day, Khan remembers that the three youngsters—Ajit Singh, Praveen Dev and Niraj Kumar (the names have been changed on Tolexo’s request)—were visibly shocked and turned pale as the cops entered their den. The cops took the three, all of whom were in their mid-twenties, to the station for interrogation. The documents found in their room were seized as evidence.
It didn’t take much before they confessed. Kumar, it turned out, was a former employee of Tolexo who quit sometime in June 2016. He was a ‘team lead’ in the abandoned carts team, reporting to the manager whose email ID was compromised. Interrogation also revealed the motive—a classic case of a disgruntled employee trying to get back at his former employers. As a team lead who was handling seventeen people, Kumar thought he deserved a better appraisal than what he had got and put in his papers in protest. It was easy to connect the dots from there. He was in between jobs and had speculated that with the access he had to Tolexo’s information, he could make some easy money while also getting back at the company. He had obviously not accounted for getting caught.
Kumar also confessed to something else besides accessing the company’s email. Even after Khan had blocked external access to the email he was infiltrating, Kumar had continued calling Tolexo’s customers. That was because he had made it a practice, while at Tolexo, of forwarding daily sales reports to his personal email. These reports contained a wealth of information on customer orders, along with other details, including addresses and phone numbers. It was the kind of behaviour that should have set off alarms bells in the organization, but most Indian companies turn a blind eye to these practices.
After access was denied to his ex-manager’s email, he simply referred to these documents to call customers, asking if they would like to place a follow-up order. He also dangled a predictable carrot to entice customers; a ‘discount’ was available if they completed the transaction immediately and transferred the money to an account number that he shared with them. Fortunately for Tolexo, not many customers took the bait.