In July 2024, the personal information of approximately 7.9 million customers of Mumbai-based stock broking firm Angel One was exposed online. The leaked data, which appeared on a hacker portal, includes sensitive details such as names, addresses, contact numbers, and even bank account information of the affected individuals. The hacker also claimed access to the customers’ stock holdings and profit and loss statements, as seen in a copy of the data dump. A private cybersecurity consultant who examined the data indicated that it appears to be from around 2023, and the hacker has only released a portion of it so far. The consultant suggested that a ransomware demand might have been involved.
In August 2024, a data breach occurred due to a security flaw on Durex India’s (Reckitt Benckiser (India) Pvt. Ltd) order confirmation page. Highly sensitive data, including full names, phone numbers, email addresses, shipping addresses, and specific order details, are compromised. This incident raised concerns amongst many individuals about their data security with companies.
In September 2024, Star Health, India’s largest standalone health insurer, confirmed a data breach involving unauthorised access to sensitive customer information, including medical reports and personal details. The breach, traced to Telegram chatbots, exposed data from millions of customers, with documents available for free and for sale. The company reported the issue to authorities, and no widespread compromise was found. The leaked data, which includes names, addresses, and medical diagnoses, has been linked to cybercriminal activity on Telegram. Security researcher Jason Parker uncovered the breach, revealing over 31 million customers’ data was involved.
Please check if your data is compromised here: Have I Been Pwned?
Data breaches are more common than ever now. In the third quarter of 2024, 422.61 million data records were leaked in data breaches, impacting millions of individuals worldwide. All of this demands a closer look into the measures in place to protect the data of the daily consumer. This article thoroughly analyses the different ways in which data is hacked and the various security measures that companies implement to protect personal data when transferred to a company in India.
Meanings – Data Security, Cyber Incident & Data Breach
Data security safeguards digital information throughout its life cycle to protect it from corruption, theft, or unauthorised access. Public and private organisations are legally obliged (Digital Personal Data Protection Act, 2023) to protect customer and user data from being lost or stolen and ending up in the wrong hands.
Clarity about the difference between data privacy and security needs to be provided. While both might sound similar, they are different. Data privacy means that only authorised parties have access to the data provided by the consumers. Data security indicates the methods organisations implement to protect such data provided by consumers to authorised parties. Data security serves as a layer of protection for data privacy. And a cyber incident happens when the layer of protection for data privacy fails.
A “cyber incident” is defined as, according to the Indian Information Technology definitions (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties), “any real or suspected adverse event about cybersecurity that violates an explicitly or implicitly security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or data changes, information without authorisation.”
Under the Digital Personal Data Protection Act, 2023, which is yet to come into force, Personal data breach is defined under S.2(u) of the DPDP Act as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data.
The Different ways in which Data is hacked/lost:
Common causes of data breaches are social engineering, insider threats, credential compromise attacks, and insufficient technological knowledge.
Social engineering is the tactic of manipulating, influencing, or deceiving a victim to gain control over a computer system or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
In the case of a social engineering attack, a perpetrator initially analyses the target victim to obtain background information, such as potential avenues of entry and weak security mechanisms, before carrying out the attack. The attacker then employs pretexting techniques like impersonation to earn the victim’s trust and offer stimuli for subsequent acts that violate security rules, such as disclosing sensitive information or granting access to vital resources. (For example, a caller posing as a member of the IT department).
Sometimes, even with all the tools & the awareness, the data is breached. An insider threat is a cyberattack originating from an individual who works in an organisation or has authorised access to its networks or systems. An insider threat could be a current or former employee, consultant, board member, or business partner and could be intentional, unintentional, or malicious. There are three significant types of insider threats- intentional, unintentional, and third-party.
Intentional, as the name suggests, is when an individual purposefully causes harm to an organisation through the information they gained during their employment. An unintentional insider threat occurs when data is lost or stolen due to employee error or neglect. Accidental insider dangers emerge due to human error, with individuals making mistakes that result in data leakage, a security breach, or stolen credentials. Accidental data leaks include sending company information to the wrong email address, clicking on dangerous hyperlinks, opening malicious attachments in phishing emails, and failing to delete or dispose of critical details properly.
Also read: Victims of Cybercrimes: Are they protected enough?
Compromised credential attacks occur when harmful third-parties use stolen login credentials to access internet accounts without authorisation. Usernames, passwords, security questions, and personal identification numbers are all examples of credentials. A Conventional (direct) brute-force cyberattack happens when a hacker uses an automated program to attempt millions of password combinations. A compromised credential attack is typically more successful, subtle, and challenging to detect than direct brute force attacks.
Measures that are taken to keep the data secured:
Different tools and mechanisms exist to keep data safe and secure. There are four major types of data security – Data Encryption, Data masking, & Data erasure, & Organisation controls.
Data encryption is of two types: Simple encryption & Tokenization.
The process of using algorithms to scramble data and hide its true meaning is called simple encryption. Simply encryption ensures that messages/data can only be read by recipients with the appropriate decryption key. This is crucial in a data breach, as it prevents attackers from reading the data even if they gain access due to the requirement of a decryption key.
Tokenisation protects data as it moves through an organisation’s entire IT infrastructure. It is the process of hiding the contents by replacing sensitive or private elements with a series of non-sensitive, randomly generated elements (called a token) such that the link between the token values and real values cannot be reverse-engineered.
Data masking enables organisations to hide data by obscuring and replacing specific letters or numbers. This process is a form of encryption that renders the data useless should a hacker intercept it. Someone with the code to decrypt or replace the masked characters can only uncover the original message.
Data erasure happens when organisations no longer require data and need it permanently removed from their systems. Data erasure is an effective data security management technique that removes liability and the chance of a data breach. Besides these, Data is also protected through backups (Data resiliency) and administrative controls such as restricted access and password protection.
Organisation Controls:
Organisations often implement robust authentication and authorisation procedures, including privilege access and multi-factor authentication, to safeguard valuable data from problems like social engineering attacks, insider threats, and compromised credential attacks. Email gateways that filter out malicious emails and mechanisms to continuously monitor critical systems & assess vulnerabilities are also implemented. Besides these, comprehensive security awareness & user training programs inside the organisation and an extensive data handling policy that clearly outlines data usage guidelines are also often implemented.
This multi-layered approach helps organisations protect sensitive data and mitigate the risks associated with insider threats.
Current Regulatory System on data breaches:
Whilst there is little to go about what the regulatory measures are in place to protect the data (our team is yet to hear back from the Government Agencies about this – you can ask for the status here), Governments play a crucial role in responding to data breaches and protecting citizens’ privacy. Currently, in India three regulations govern what happens in cases of a cyber incident. CERT-In (Indian Computer Emergency Response Team), Digital Personal Data Protection Act, 2023 & Information Technology Act, 2000.
CERT-In has issued a list of cyber incidents that all service providers, intermediaries(payment gateways,social media platforms), data center operators, companies, and government organizations must report within CERT-In’s designated six-hour window. This window applies both to High-priority cyber security incidents like ransomware attacks and data breaches & low-priority cyber security incidents like website defacement or unauthorised use of social media accounts.
Under the Digital Personal Data Protection Act, 2023, which is yet to come into force, in the event of a personal data breach, regardless of the sensitivity of the breach or its impact on the Data Principal (the one who provides the data), the Data Fiduciary (the one who collects the data) is required to inform each affected Data Principal and the Data Protection Board of India. In case of personal data breach, a penalty of up to 250 Crores is imposed on the Data Fiduciary & a penalty of up to 200 Crores, in case the Data Fiduciary fails to intimate about the Data breach.
The Information Technology Act, of 2000, penalises various forms of cybercrime, including sending offensive messages, identity theft, cyberterrorism, cyberbullying, and hacking. Section 43 of the act punishes unauthorised access to computer systems, data theft, and the introduction of malware, holding offenders accountable for any resulting loss or harm. Hacking is modifying or destroying information to cause harm under Section 66.
Penalties include up to three years in prison and/or a fine of INR 5 lakh. Section 66C penalises the fraudulent use of stolen credentials with up to three years imprisonment and/or a INR 1 lakh fine. Under Section 66E, violating privacy by recording, transmitting, or publishing private photos or data without consent can result in up to three years in prison and/or a INR 2 lakh fine. Section 72A punishes breaches of secrecy by individuals who misuse personal data obtained under legitimate contracts, prescribing up to three years and/or a fine.
Verdict: Is your data protected enough?
The current regulatory landscape concerning data security in India is inadequate because it primarily focuses on reactive measures rather than enforcing proactive data protection protocols.
While laws like the IT Act 2000 and the forthcoming Digital Personal Data Protection Act 2023 outline penalties for data breaches and mandate reporting such incidents, they do not explicitly require companies to implement specific security measures. They are focussing on penalising the guilty party rather than preventing the breach in the first place. This lack of mandated preventive action means data protection mainly depends on individual organisations’ voluntary actions. They are not legally obligated to adopt robust security practices, leaving consumers worldwide vulnerable to potential data breaches.
The issue is further exacerbated by the fact that many organisations cannot implement moderately advanced security measures. This creates an uneven playing field in which organisations within the same industry have vastly different levels of data protection. Ultimately, the effectiveness of data security in India heavily relies on organisations’ policies and internal controls and their willingness to prioritise data protection beyond mere legal compliance.
In other words, the data of consumers worldwide, if transferred to an organisation in India, is at the mercy of the Indian corporations’ ability & goodwill!
What a world we live in.
2 Comments
Hi , I do believe this is an excellent blog. I stumbled upon it on Yahoo , i will come back once again. Money and freedom is the best way to change, may you be rich and help other people.
Wow! This can be one particular of the most useful blogs We have ever arrive across on this subject. Basically Magnificent. I am also a specialist in this topic therefore I can understand your effort.