Sri Lankan e-commerce platform Wishque suffered a data breach early this month. On 4 April, a data dump claiming to belong to wishque.com was published online. According to the post, the online platform was breached back on 30 March. This allegedly compromised 19.7 million records, which include customer emails and phone numbers.
According to the post, these records also include credit card data (name, number, expiration date). But the full numbers appear to be obfuscated. Further, the post itself claims that the data dump includes a lot of temporary/fake emails.
Wishque response
Nearly a month after the incident, Wishque issued a public statement following a viral Facebook post. The company states that the data breach claim “stems from a breach of a test database used strictly for development purposes.” It further mentioned that this refers to “scrambled data” for testing and system development. However, the sample data in the breach suggests otherwise.
Later, the company followed up with a detailed update. Wishque says its hosting partner, Amazon Web Services, verified that neither its live customer database nor production environment suffered a data breach.
However, the company confirmed that the leaked test database has “limited real customer data” following a forensic analysis. According to Wishque, this affected only customers who used the site’s wishlist feature. Speaking to ReadMe, the company clarified that this customer data was temporarily used for AI development purposes.
The leaked data also includes partial credit card information. Wishque states that no full credit card numbers, CVVs, passwords, or billing details were stored in the database. “All transactions are securely processed through trusted third-party payment gateways provided by banks and leading international payment platforms,” the company further said.
The online retailer says it has already informed all affected customers via phone/email. “[We] have shut down the test environment, and further checkups are happening,” the company told ReadMe. It’s also engaging third-party cybersecurity experts “to strengthen all environments.”
A continuing lackluster attitude
The incident comes just a month after the Cargills Bank data breach, arguably Sri Lanka’s biggest breach to date. Security incidents have seen a noticeable uptick in Sri Lanka’s online space, both in the public and private sectors. Sri Lanka CERT reported at least 142 security incidents (ransomware, DoS/DDoS, phishing, website breaches, and server compromises) during 2024 alone.
Despite the alarming situation, legislation around data privacy and security has been languishing for years. The Personal Data Protection Act was passed into law in 2022 but remains ineffective due to a lack of provisions for the Data Protection Agency. The cybersecurity bill has been in the works for years and has still not seen any meaningful progress.
It also doesn’t help that the general response has been poor, often resorting to a little more than an ambiguous acknowledgment, if at all. For instance, Cargills Bank issued four public statements following the breach, but has yet to publicly communicate the extent of its data breach. On the other hand, Wishque provided a more detailed explanation of its incident. But the disclosure only came after a viral Facebook post, nearly a month later.
Update: Included comment from Wishque
GIPHY App Key not set. Please check settings