Teardown5 min read

BigBasket's 2020 Breach and the Household Profile Hiding in a Grocery Order

BigBasket's October 2020 breach exposed 20 million users' personal data for $40,000 on the dark web. We read what a grocery order history reveals against the DPDP Act's safeguard and consent requirements.

BigBasket's October 2020 breach did not make headlines the way a fintech breach would. It should have. Twenty million users' names, email addresses, phone numbers, home addresses, dates of birth, and hashed passwords were listed on a dark-web forum for $40,000.

Grocery data is more sensitive than most founders realise

A BigBasket order history is not a shopping list. It is a household profile. It reveals household size from order volumes, income bracket from category choices, and dietary patterns that infer religious practice or medical conditions, along with whether a child, an elderly person, or someone with a specific health need lives at that address.

None of these inferences require a special sensitive-data category. They are derived from groceries, and they are all attached to a verified home address with delivery GPS. Under §8 and Rule 6, the security obligation scales with the potential harm of exposure, not just the category of data collected. A home address combined with an inferred health profile causes real-world harm, and the safeguards must reflect that.

Gap 1: Retention without a purpose end-date (Rule 8)

An order from 2018 has no operational value in 2020. Retaining it indefinitely, attached to a live home address, is pure liability accumulation. Rule 8 requires defined erasure schedules; the question "do we still need this?" must have a deadline, not an open answer.

Gap 2: No layered consent for inferred profiling (§6)

If purchase history is used for personalisation, targeted offers, or third-party partnerships, that is a secondary purpose. §6 requires itemised consent, separate from delivery consent, before that use begins.

Gap 3: Breach timeline opacity (Rule 7)

BigBasket reportedly filed a police complaint before making a public disclosure. Under Rule 7, Data Protection Board notification runs parallel to any criminal complaint, not after it. A police complaint is not a substitute for regulatory notification.

The takeaway for consumer app founders

Ask your team what they could infer about a user's household from twelve months of activity data. If the answer makes you uncomfortable, that is your DPDP audit starting point, not your privacy policy. Our DPDP compliance checklist is the build order to work through it. Run a free Compliance Score below to check your own retention and consent posture in 60 seconds.

Frequently asked questions

What happened in the BigBasket data breach?

In October 2020, BigBasket suffered a breach exposing an estimated 20 million users' personal data, including names, emails, phone numbers, addresses, dates of birth, and hashed passwords, which was later listed for sale on a dark-web forum for $40,000.

Does inferred data count as personal data under the DPDP Act?

Profiles inferred from purchase history, such as likely household size or health-adjacent dietary patterns, are derived from and linked to identifiable personal data, so the safeguard obligations under §8 and Rule 6 apply based on the harm that exposure of the underlying data could cause.

Does filing a police complaint satisfy DPDP breach notification?

No. Under Rule 7, notification to the Data Protection Board runs on its own 72-hour clock from awareness of the breach, independent of any criminal complaint filed with law enforcement. One does not substitute for the other.

Compliance Score

Where does your website stand against the DPDP Act?

Run a free Compliance Score: privacy policy, cookie consent, and retention posture, checked in 60 seconds. No signup.