Since the beginning of 2021, there has been a phenomenal increase in Data Breaches in India, exposing Indian citizens’ data. Major data breaches that took place recently is – Air-India data breach involving breach of 4.5 million passengers data after a sophisticated cyber-attack on SITA Servers –Switzerland-based company providing passenger services system. The cyber-attack was carried out on its servers based in the US. Other data breaches include Dominos India Database Leaks, Upstox, Mobikwik, BigBasket, Money Control, and a lot of other databases. Common amongst all of them is that their data is being sold on the Darknet and all of them denied it. None of them were held accountable and punished. Many companies don’t even bother to inform users as and when they suffer data leaks.
In January 2021, data leak on the payment platform Juspay came to light, wherein debit and credit card details of over 100 million users’ were compromised. Similarly, Late last year, personal information including names, email , password hashes, mobile numbers, and addresses of 20 million customers of the online grocery store BigBasket were up for sale on the darknet. In 2018 and 2019, saw data breach of healthcare records of 6.8 million Indians.
In the case of MobiKwik, database of App users of MobiKwik was available for sale on darknet containing highly sensitive details of millions of Indians. Approximately 8.2 Terabytes Sensitive User Data of MobiKwik Users that was for sale on Hacker Forum. MobiKwik is a mobile App based payment system and digital wallet, enabling users to perform transactions from the Mobile App. This App is required to have a process of Know Your Customer (KYC) which entails that the MobiKwik was holding Personally Identifiable Information (PII) such as Individual Identity documents, Address proof, scanned copies of passports and Aadhaar cards, and a lot more.
Hackers gave an exclusive offer for a set price of 1.5 BTC ($84k), where a buyer could get the entire database and have the dark web portal taken offline, keeping everything exclusive. The seller listed the following as part of the massive pack:
- 99 million databases of E-mail, phone numbers, passwords, addresses, details of Apps installed, IP address, GPS location, etc.
- Approximately, 7.5 Terabytes of 3 million Merchant KYC data comprising details of passports, Aadhaar cards, pan cards, selfies, stored picture proof used to get loans on the site.
MobiKwik denied that the personal data of its users was seen online belonged to them. In the absence of data protection law, MobiKwik was able to deny this data breach for over a month — despite the data even been circulated on Telegram Channels, until it couldn’t.
At the heels of this data breach, on 21 May 2021, Air India suffered a major data breach in which sensitive information and personal details of more than 4.5 million passengers were breached after a sophisticated cyber-attack on SITA Servers based in the US. This data breach included user’s payment information including credit card number, name, date of expiry, and passport details. This data breach involved the user data held by SITA between August 2011 and February 2021.
Immediately after the Air India data breach notification, pizza delivery chain Domino’s India became the victim of a significant data leak. This data breach included more than 18 crore data of Indians, who ordered online on Domino’s India Site and App and was put up on sale on the dark web as a searchable database.
Breached Data contained 13 TB of Domino’s Customers and Employee data. In case you have ever ordered for Domino’s India Pizza online, your data might be leaked, Data included Name, Email, Mobile Numbers, Delivery Address, GPS Location, etc. The data in question was put on sale for Rs 4.5 crore (10 Bitcoin).
Such data breaches put every Indian’s personal information at immense risk. They create threat vectors for financial cybercrimes and also ID fraud. What makes things worse, is the seeming inaction and response by data processors, whom users trust with their data. Misuse of sensitive user data such as Political opinions, Racial or ethnic origin, religious or philosophical beliefs, Genetic data, and Biometric data can cause more damage than the standard user data that are involved in breaches, like names, addresses, and financial details.
Though personal user data is largely used to commit financial frauds or launch personalized cyber-attacks (which, although bad, are a one-off event), a breach of sensitive personal data can permanently disrupt the victim’s life. Think of the emotional damage to the user he might have to undergo if his sensitive personal data becomes publicly known such as health condition or he / she was a member of a controversial political party. Similarly, consider the ramifications in case biometric data gets breached. This isn’t just a privacy breach but can also have an irrevocable impact. The victim will forever know that biometric data has been compromised and can potentially be used anytime to access accounts.
Whether a company is responsible or not depends on the incident response and it cyber readiness to handle any Ransomware attack, that would lead data breach. Not every company is found liable to data leaks. However, if a company is not taking corrective measures to protect user data against Ransomware attacks and sensitive information, they may be forced to pay millions.
Companies need to inform about data breaches to their users who may have been affected so that those users with exposed personal data can take steps to protect themselves from further harm. The sooner a person with compromised data learns about their data breach, the sooner steps can be taken to mitigate any possible repercussions of the data exposure.
Due to coronavirus pandemic all the people have shifted to Work from Home, education to online mode, however, we are still without data protection-relevant rules, regulations, and frameworks to safeguard personal data / Personally Identifiable Information of Indians. Existing data protection laws in India are inadequate to deal with the present-day realities of Data Privacy and Data Protection. Companies should come up with official notification must include:
- Elucidation of the Data breach, identification of the type of data that was compromised in the Data Breach.
- Specific Information for those affected by the Data Breach, so that can take steps to protect themselves.
- An explanation of what the Company is doing to investigate and correct the data breach.
- Share Contact information with users, so that those who are affected by the Data Breach can learn more information.
Regardless of how prepared any company is for a data breach, there is no room for any complacency in today’s evolving Cyber Security landscape. One must have a harmonized cybersecurity strategy in place that protects sensitive data, reduces threats and safeguards your brand’s reputation.
In European Union(EU), the disciplinary powers introduced in the GDPR (General Data Protection Regulation) are potentially very stringent and there’s the threat of regulatory penalties following any data breach. However, the Indian Personal Data Protection Bill that would outline rules and regulations for private companies to manage the users’ data has been pending in Parliament since 2019. The proposed data protection law is currently drafted but does not address the crucial gap in consumer data safety. For example, the bill does not mandate notifying affected users in case of any data breach. It gives the advantage to companies that are not under any obligation to notify victims in case of Data Breach.
This leads to a conclusion that not only is a data protection bill is very much needed immediately but also a robust one that would adequately secure the digital rights of users. Without this stringent Data Protection Law, Indian users have few safeguards when it comes to their data protection rights.
Col. Inderjeet Singh Brar is an expert in encryption and block chain technology.
©️ The content of this Article is intellectual property of The 4th Estate and can not be used except with prior written consent of the Editor, The 4th Estate.
