A QR-Ious Case of Privacy Data Leak

It was a simple dinner at a restaurant on FC Road, Pune, that turned into a nightmare for a Pune woman recently. Sharing her experience on social media, Rishika Dutta alleged that a restaurant staff member accessed her phone number through a QR-based ordering system and later sent her unsolicited late-night messages. Her post garnered public attention, and social media went into a tizzy. This raises a pertinent question as to how much personal data we are casually sharing each time we scan a QR code to order food, pay bills or check into a venue?

QR Code Concerns

Himanshu Yadav, a Cyber Security Expert, Researcher & Founder of HackindTech, says, “QR-code ordering systems are convenient, but they can create privacy risks if customer data is not properly protected internally.” In many restaurants, customer phone numbers and billing details are often visible on staff dashboards or POS systems. If access controls are weak, such information can easily be misused by employees for personal communication, unsolicited contact, or even scams. Insider misuse is becoming an increasingly significant cybersecurity concern globally and is no longer limited to threats from external hackers alone.

According to him, businesses must recognise that customer data protection is not just about defending systems from outside attacks, but also about regulating who within the organisation can access sensitive information. Himanshu says, “Restaurants and service establishments should ensure that only authorised employees are given access to customer details, while also maintaining proper monitoring and audit logs to track how such data is being used.”

Wider Ramifications

Cybersecurity threats today have spread their wings far beyond conventional hacking, cutting across sectors and domains ranging from healthcare and aviation to hospitality, banking and everyday consumer services.

Nirali Bhatia, a Cyber Psychologist & Psychotherapist from Mumbai says that cyber-related privacy violations often leave behind a long-lasting emotional impact. “Once it happens with you, you start looking at every ordinary situation differently,” she says, explaining how something as routine as sharing a phone number with a salon employee for an appointment or giving it to a delivery executive suddenly begins to feel unsettling.

Nirali shares her personal experience. Her car broke down on a highway, forcing her to quickly search online and contact a local car service for a battery replacement. The issue was resolved immediately. A month later, she began receiving unsolicited text messages from the same number she had originally contacted for assistance. Determined to confront the issue, she visited the shop in person. “It was a young chap doing it out of boredom,” she says. The young man had even saved some of her WhatsApp display pictures on his phone.

Access to customer information should come with responsibility and boundaries, something many people and businesses still fail to fully understand. Himanshu says, “Cases involving misuse of customer contact information are common, especially in sectors like food delivery, ride-sharing, and retail.” Concerns are now emerging within the hospitality sector as an increasing amount of customer data is being collected and stored digitally through QR-code ordering systems, reservation platforms and billing software.

Many incidents go unreported because businesses tend to handle them internally to avoid reputational damage. Customers also choose to ignore unsolicited messages instead of filing formal complaints.

The QR Code Ecosystem

When you scan a QR code at a restaurant, it feels like a simple transactional practice. “But when the same number is later used without your consent to send unpleasant texts or DMs, it stops being merely inappropriate. It becomes deeply violative and even threatening,” says Nirali.

Such incidents often create a strong sense of discomfort and fear, particularly among women, because something shared casually in a routine setting suddenly becomes a channel for intrusion.

Nirali believes the larger issue lies not necessarily with the QR code itself, but with the broader ecosystem surrounding it. “The systems are designed for convenience, especially after the Covid-19 pandemic, when contactless services became the norm,” she says.

Explaining the psychology behind such behaviour, she notes that people naturally lower their guard in environments that feel familiar and socially safe, such as restaurants, salons or delivery interactions. In those moments, very few stop to critically think about what information is being shared, where it is being stored, or who may eventually gain access to it. “Today, scanning a QR code and completing a payment feels completely normal to us,” she says, adding that this sense of normalcy often reduces the caution people would otherwise exercise online.

Convenience Needs Safeguards

As QR-code systems and digital platforms become increasingly common across restaurants, salons, delivery services and other everyday spaces, experts stress that stronger safeguards around customer data can no longer remain optional. Himanshu says, “Under India’s growing data protection framework, businesses are expected to store and process customer data responsibly and securely.”

Himanshu opines that collecting only necessary information should serve as the norm. There should be more training with staff and employees about data responsibility. The Pune woman incident is a reminder that businesses must invest not only in digital convenience, but also in stricter security practices, better access controls and greater accountability.

Because in an increasingly connected world, customer trust depends just as much on how securely their information is protected as on the service itself!

Data Compromise Incidents

• The 2022 ransomware attack at AIIMS disrupted hospital services for days after more than 1TB of data was reportedly encrypted.

• In 2023, reports also emerged about alleged leaks involving data linked to the ICMR and Aadhaar-related information. There are claims that records of millions

of Indians were being circulated on the dark web.

• Earlier, Air India disclosed a major breach involving passenger details, including passport and contact information, after its data processor suffered a cyberattack.

Safety Tips

• Be cautious if a restaurant or any service provider asks for excessive personal information.

• Suspicious redirects to third-party websites without HTTPS security or mandatory OTP logins should be looked out for.

• Verify payment URL’s before making transactions.

• Avoid installing unknown apps through QR redirects.

• Taking a few seconds to verify a QR code can prevent major scams.

(Courtesy: Himanshu Yadav, Cyber Security Researcher & Expert)