It's Raining Data Breaches in India

"Some of my data is there. In fact even the accurate date for the creation of my Mobikwik account, in 2013, is there," said Medianama founder Nikhil Pahwa after his personal information, along with millions of others, were leaked following the data breach of MobiKwik, an India-based digital wallet company, in March.

Barely two months later, Air India and Dominos India would go on to become casualties of a data breach.

On May 15, India's flagship airline, Air India, confirmed that, in early March, attackers had accessed data belonging to 4.5 million global passengers following a breach of aviation IT provider SITA's Passenger Service System.

The stolen information — which spanned nearly 10 years between August 26, 2011 and February 3, 2021 — included passengers’ names, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance frequent flyer data, and Air India frequent flyer data, the company said in a statement.

The disclosure comes three months after Swiss aviation IT provider SITA announced that it had suffered a data breach that involved passenger data, making Air India the latest airline to be affected by the incident.

Six days after Air India's disclosure, pizza delivery service Dominos India suffered a data leak involving 180 million customer order records, which were made available as a searchable portal on the dark web. As well as phone numbers and email addresses, the data also contained information about users' order locations, making it a goldmine for cyber criminals. The breach is believed to have occurred in April.

The fact that anyone can easily search for phone numbers and retrieve the person's past locations with dates and times is a grave threat to privacy. Even worse, hackers can use this information to perform additional attacks, such as phishing scams and SMS messaging scams, to steal further sensitive data from users exposed in the breach.

But these are not isolated cases. The breaches add to an uptick in data security incidents, with at least 14 other companies impacted in the past year alone. It's, however, important to note that this includes only the companies that have publicly disclosed the breaches.

According to Verizon's 2021 Data Breach Investigations Report published last month, there have been 5,258 confirmed data breaches worldwide, with victims spanning 88 countries and 12 industries.

"With an unprecedented number of people working remotely, phishing and ransomware attacks increased by 11 percent and 6 percent respectively," the report said. "Additionally, breach data showed that 61 percent of breaches involved credential data (95 percent of organizations suffering credential stuffing attacks had between 637 and 3.3 billion malicious login attempts through the year)."

What's more, an IBM study released last year found that data breaches have cost organizations in India $1.9 million on an average in 2020, with cost per stolen record for organizations pegged at $76. The average time to identify a data breach increased from 221 to 230 days, while the average time to contain a data breach increased from 77 to 83 days.

If anything, these security lapses only serve to underscore the need for a stringent data protection regulation in India, without which users cannot exercise their right to privacy effectively. While the Indian government tabled a Personal Data Protection Bill in December 2019, the legislation has faced repeated delays amid ongoing consultations with relevant stakeholders.

Data breaches directly affect the customers of businesses, but companies have been getting off relatively lightly with little to no punitive action.

The Information Technology Act of 2000, which is the primary law that deals with cybercrime and electronic commerce in India, has provisions for the disclosure of "personal information" in breach of lawful contract (Section 72 and Section 72A). In addition, Section 43A of the IT Rules 2011 mandates compensation for negligence in implementing and maintaining "reasonable security practices and procedures" in relation to "sensitive personal data or information."

But, to date, there has not been a single instance where a company has been held liable for a data breach. Nor has the Indian Computer Emergency Response Team, or CERT-In, stepped in to take any action or provide clarity on measures being taken to safeguard customers despite the country witnessing an alarming number of incidents.

If phone numbers, passwords, or credit card information gets stolen, then users have the option of changing their credentials or getting their cards reissued. But if personally identifiable information such as names, social security numbers, dates of birth, or biometric records get plundered, then there is little to be done.

Not only does there need to be stricter norms to secure digital infrastructure, what's required is a comprehensive data protection law — like that in the European Union — which clearly lays out what companies can and cannot do with users' personal data and governs the ways businesses use, process, and store consumers' information.

The legislation should also require companies to notify users of a data breach within 72 hours of it happening, as is the case under GDPR, the current gold standard of data protection.

Businesses should provide an explanation on why such a breach took place and its potential impact, provide details including the number of affected users and the date and time of the breach, explain steps taken to respond to the security incident, and agree to an independent third-party security audit, or risk facing penalties for non-compliance.

With data breaches increasingly coming to the fore as a threat to users and companies, the way organizations inform affected individuals is as crucial as the methods used to secure personal data. Privacy delayed is privacy denied.

"All Indian major corporations' systems, not to mention govt ones, run on infra that are obsolete a decade before. Unless we catch up, this will keep repeating," a user tweeted.