In a concerning development, ride-hailing unicorn Rapido reportedly exposed the personal data of its users and drivers due to a security issue involving a feedback form. Discovered by security researcher and ethical hacker Renganathan P, this vulnerability allowed public access to sensitive details such as full names, phone numbers, email addresses, and feedback messages. The breach highlights the growing challenge of cybersecurity in India’s rapidly expanding startup ecosystem.
Credits: Times of India
The issue stemmed from a feedback form hosted on a domain separate from Rapido’s primary website. While designed to collect valuable insights from customers and rickshaw drivers, the form’s lack of proper security controls left it vulnerable to public access.
Scope of the Exposure
The breach was significant, involving over 1,800 feedback entries by December 19, 2024. Most of the data pertained to rickshaw drivers, though some customer information, including email addresses, was also exposed. Rapido used a third-party service to manage the feedback process, underscoring the risks associated with outsourcing key operational components.
According to Renganathan, startups need to be particularly vigilant when involving external agencies. “Secure coding and additional access control security should be prioritized. Security assessments or hosting bug bounty programs can help prevent such issues,” he advised.
Rapido’s Response
Upon being alerted to the vulnerability, Rapido quickly acted by changing the portal’s settings to private. In a statement to TechCrunch, Rapido’s co-founder and CEO acknowledged that the survey links had inadvertently reached unintended users. The company assured that steps were being taken to prevent such incidents in the future.
While the immediate response is commendable, the incident raises questions about the startup’s approach to data protection and its ability to safeguard the trust of its users.
A Growing Problem in Indian Startups
Rapido’s breach is not an isolated event. The Indian startup ecosystem has recently seen a string of cybersecurity lapses:
Signzy: In late November, the fintech SaaS startup was hit by a cyberattack.
Star Health: A data breach resulted in the personal information of 30 million customers being allegedly put up for sale on Telegram. The hacker demanded a ransom of $68,000.
DotPe: In September, a human error led to the leakage of customer data on its payments platform.
These incidents emphasize the urgent need for startups to prioritize data security, especially as they grow and handle increasing amounts of sensitive customer information.
Lessons for Startups
Rapido’s experience offers critical lessons for startups across industries:
Secure Third-party Integrations: Outsourcing operational components like feedback collection requires stringent oversight. Security protocols must extend to all partners.
Regular Security Assessments: Startups should conduct periodic security audits to identify and address vulnerabilities before they become crises.
Engage Ethical Hackers: Bug bounty programs can help uncover flaws that might otherwise go unnoticed.
Transparency and Accountability: Companies must communicate openly with users about breaches and outline steps to address them.
As Renganathan noted, “India has a lot of security professionals. I request startups to make use of such cyber experts.”
Rapido’s Resilience and Growth
Despite this setback, Rapido has demonstrated resilience in its financial performance. The company reduced its losses by 45% in FY24, bringing them down to ₹370 crore from ₹675 crore in FY23. Meanwhile, its revenue grew by 1.5x, reaching ₹648.1 crore. These figures highlight Rapido’s strong market position and potential for recovery.
Founded in 2015 by Rishikesh SR, Pavan Guntupalli, and Aravind Sanka, Rapido has grown from a bike taxi service to include auto and cab segments. This diversification reflects its ambition to dominate India’s ride-hailing market.
Credits: Tech Crunch
Looking Ahead
The whole startup ecosystem should take note of the Rapido data breach. Innovation and quick expansion are essential for success, but they must be counterbalanced by strong cybersecurity. Any service-based business is built on trust, and preserving that trust depends critically on protecting data privacy.
Startups need to see cybersecurity as an essential component of their growth plan rather than an optional investment. Effectively and openly handling this incident could give Rapido the chance to reaffirm its dedication to user safety and trust, which is an essential first step in its ongoing quest to dominate the industry.
