Data Breach and Protection against it

Reading time : 10 minutes

Introduction

We can see the occurrence of data breach occurs when sensitive, confidential, or otherwise protected data is accessed and/or disclosed without authorization. Data breaches can happen in any size business, from small start-ups to large enterprises. Personal health information (PHI), personally identifiable information (PII), trade secrets, and other confidential information may be included. Personal information of a person, such as credit card numbers, Social Security numbers, driver’s licence numbers, and healthcare records, as well as company information, customer lists, and source code, are all common data breach targets.

A data breach occurs when someone who is not authorised to see or steals personal data from the entity is responsible for securing it. If a data breach is seen to be resulted in identity theft and/or a violation of government or industry compliance standards, the guilty company may suffer fines, litigation, reputational damage, and even the loss of its business licence.

A data breach is commonly assumed to be the result of an external hacker; however, this isn’t necessarily the case. Intentional attacks can sometimes be traced back to the causes of data breaches. It can, however, be caused by a simple oversight on the part of employees or weaknesses in a company’s infrastructure.

The certain reasons data breach can occur are;

An Inadvertent Insider: An employee utilising a co-worker’s computer and reading files without the required authorisation permissions is an example. There is no information given, and the access is inadvertent. The data was breached, however, because it was read by an unauthorised person.

An insider with a nefarious agenda: These individual accesses and/or shares data with the objective of inflicting harm to a person or a company. The malevolent insider may have genuine permission to access the data, but the goal is to use it for bad purposes.

Although a data breach might occur as a consequence of an unintentional error, serious harm can occur if someone with unauthorised access steals and sells Personally Identifiable Information (PII) or business intellectual data for financial benefit or to hurt others.

Malicious thieves have a fundamental pattern; they plan ahead of time to target a company for a data breach. They conduct research on their victims to identify weaknesses such as missing or failed upgrades and employee vulnerability to phishing attacks.

Hackers identify a target’s weak areas and devise a campaign to persuade insiders to download malware by accident. They have been known to go after the network directly on occasion.

Once inside, dangerous thieves have complete freedom to look for the information they desire– and plenty of time to do so, as the average breach takes over five months to identify.

Malicious offenders frequently exploit the following vulnerabilities:

Credentials are lacking: Stolen or weak credentials are responsible for the vast majority of data breaches. If a hostile criminal obtains your login and password combination, they will have access to your network. Brute force attacks can be used to get access to email, websites, bank accounts, and other sources of PII or financial information because most individuals reuse passwords.

Credentials have been stolen:  Phishing-related data breaches are a big security concern, and if cyber thieves obtain this Personal information, they can exploit it to gain access to your bank and internet accounts.

Assets that have been compromised: Various malware assaults are used to circumvent the typical authentication protocols that would safeguard a computer.

Fraudulent use of a credit card: When a card is swiped, card skimmers attach to petrol pumps or ATMs and capture data.

Access by a third party: Despite your best efforts to keep your network and data secure, malicious criminals may gain access to your system through third-party providers.

Mobile phones: It’s easy for unsecured devices to download malware-laden apps that offer hackers access to data saved on the device when employees are allowed to bring their own devices (BYOD) into the workplace. This frequently contains work email and files, as well as the owner’s personal information.

Why is data breach a threat?

Employees, vendors, and consultants with access to the network, as well as persons outside the firm, can all pose a threat to the various sorts of data. They can access your data from within your network, via external email accounts, via mobile devices, and via the cloud, if your company saves data there. Traditional perimeter security is no longer sufficient to protect your data from these attackers.

Insiders can cause data protection to fail. Employees that are dissatisfied with their jobs may opt to leak confidential information. External parties can use malicious emails or harmful websites to infect employee PCs with malware and steal user names and passwords. Cloud data and email accounts are frequently accessed by employees of your cloud services provider, and mobile devices might be misplaced, hacked, or corrupted. In the face of such dangers, businesses must assess the potential repercussions of data breaches and devise strategies to mitigate their risks.

Businesses that suffer data breaches face serious and growing implications. This is mostly due to the increasing regulatory burden associated with notifying individuals whose personal information has been exposed.

Companies that have a consumer data breach must determine where their customers live and which regulatory entity has jurisdiction. Regulations specify the types of data that must be notified following a breach, as well as who must be contacted, how the notification must be carried out, and whether specific authorities must be alerted. Personal, financial, and health data breaches are usually subject to notification obligations, however, the exact definitions vary by state. Companies that do business globally may have customers in a range of jurisdictions and must adhere to a variety of regulations. The costs of such a process, combined with legal penalties, potential compensation for damages, and any resulting lawsuits, can be enough to put some businesses out of business.

Data breaches involving different sorts of data can have a significant negative impact on a company’s brand and financial status. A data leak could jeopardise a company’s planned sale, in addition to contractual duties, as happened recently with Verizon’s purchase of Yahoo. Your firm may not survive if your competitors learn about your business methods and are able to market products identical to yours at a lower price.

History of breach in India

With over 690 million internet users and expanding, India is seeing an increase in both private and public sector data breaches. Digital security firm Gemalto conducted a survey where data breaches in India were the second-highest globally in 2018. As a result, the fact that India has a history of data breaches is instructive.

In October 2016, it was revealed that a malware intrusion in the Hitachi Payment Services system had compromised 3.2 million debit cards from major Indian banks. In India, Hitachi provides ATM and POS services, and the spyware allowed hackers to steal money from users’ accounts. In 2016, the NPCI (National Payments Corporation of India) recorded fraudulent transaction losses of over 13 million INR ($195,000 USD). The banks, for example, SBI, i.e., the State Bank of India, ICICI, HDFC, YES Bank, and Axis Bank, were among the worst-affected banks. For six weeks, the hack went undiscovered, and banks were only notified until many overseas banks reported fraudulent card use in China and the United States while customers were in India. SBI reportedly stopped and reissued 600,000 debit cards, making it one of the largest card replacements in Indian banking history.

Data, the most precious asset in the information era, is difficult to possess and even more difficult to protect. With data breaches in India increasing by 37% in 2020 compared to the first quarter of 2019, the tech sector faces a serious dilemma as fraudsters progressively feed on their information. According to an IBM analysis, the overall cost of breaches in India might exceed Rs 14 crore by 2020. India tops the charts among the countries in terms of cybercrime, according to this figure. Work from Home (WFH) has resulted in a significant digital transition. With the end of the pandemic-spawned lockdown, 15 billion credentials are out for sale, according to a digital monitoring agency.

The data breach at e-grocery BigBasket is thought to be the largest in Indian online. In the cybercrime sector, a worldwide security business reported the details of 20 million user accounts. On October 30, 2020, the breach was discovered and quickly placed up for sale for 3 million rupees. Only on November 7, when the business agreed to the leak, was the news confirmed.

Six big breaches had been announced in the month prior, all of which jolted users awake. These cases include Haldiram Snacks Pvt Ltd, Prime Minister Narendra Modi’s personal website narendramodi.in, Bharat Matrimony and the Indian Railways’ online ticketing portal IRCTC. Later in the year, cyber-attacks targeted Dr. Reddy’s Laboratories and Paytm Mall, an e-commerce company.

Recent development in Data Breach cases

In 2021, India was stunned by data breaches, which continued to rise year after year. In January, information containing masked card data and card fingerprints were hacked from a Juspay server using an unrecycled access key, affecting 35 million user accounts. The data breach happened in August 2020, but it wasn’t discovered until independent cybersecurity researcher Rajshekhar Rajaharia discovered it for sale on the dark web for roughly US$5000.

Another data breach occurred in January when the COVID-19 lab test results of at least 1500 Indian residents were made public on official websites. The fact that the disclosed data has not been discovered for sale on dark web forums is concerning. Instead, Google’s indexing of COVID-19 lab test records has made the information publicly available. Patients’ full names, dates of birth, testing dates, and the names of the testing centres were among the information stolen. Experts further claim that the papers were hosted on the same CMS system that government agencies use to publish publicly accessible information.

Also read: CUSTODIAL DEATHS

In February, information on 500,000 candidates for the police exam was made available for purchase. CloudSEK, a threat intelligence firm, was able to trace the data back to a police exam on December 22, 2019. With CloudSEK, the seller-provided a sample of the data dump, which includes the information of 10,000 exam candidates. The data includes the exam participants’ full names, phone numbers, email addresses, dates of birth, FIR records, and criminal histories, with the majority of the candidates being from Bihar.

The data of 9.9 crores Mobikwik members was leaked online in March, yet the financial company fail to accept the fact that they are at fault. Rajaharia was the one who discovered the leak and contacted the Reserve Bank of India, the Indian computer emergency response team, PCI Standards, and payment technology companies, among others.

Domino’s India suffered a huge data breach in April, when the credit card information of about ten lakh customers and workers was released on the Dark Web. Names of the customers, phone numbers, and payment information, including credit cards and pizza preferences, were among the details exposed. Alon Gal, CTO of security firm Hudson Rock, uncovered the leak when he came across someone offering ten bitcoins (about US$535,000 or INR4 crore) in exchange for 13TB of data, which included one million credit card records and details of 180 million Dominos India pizza orders.

Upstox, one of India’s top discount broking services, was also hacked in April. A security compromise at the company resulted in the release of client KYC information. While the company does not specify how much of their user data was leaked, media estimates suggest that at least 25 lakh customers were affected. Upstox notified its customers on April 11 that their passwords would be reset. They also took further steps after receiving emails warning of a potential compromise of their contact and KYC information housed in a third-party data warehouse.

Google- Is it a threat?

In 1965, Ralph Nader published “Unsafe at Any Speed,” a book that detailed how certain design mistakes had rendered some autos inherently dangerous. In today’s world, the same may be true for websites. Many websites have design flaws that make them vulnerable to attack. These issues, unlike the lack of seat belts in cars, are not immediately apparent, and the answers are not simple.

Google’s rocky relationship with privacy and security is well-known. In 2009, the corporation attempted to make structural adjustments in order to deal with critics and save face. The 2009 privacy conference reassured both Google employees and consumers that the company’s senior brass was committed to not only security but also privacy, both on paper and in practice.

Despite increased privacy settings and the ability to turn on features such as Incognito mode, Google continues to struggle with bugs, gaffes, and public perception. Because, while Google looks to the public as a software company or even merely a search company, it is fundamentally an advertising firm. Advertising is estimated to bring in $120 billion in 2019, accounting for 83.3 per cent of Alphabet’s overall income.

we could see that on the internet or elsewhere, there is no such thing as complete and comprehensive security. At the same time, Google continues to be chastised for not only its security issues but also for the way it appears to keep data in a haphazard manner.

Google has complete control over its privacy and security policies. Experts say the safeguarding of its assets necessitates a significant amount of hardware, software, and training. However, the issue is less about security threat control: all businesses of all sizes confront risks and should take equal precautions in terms of building IT disaster recovery plans as Google (at scale). Although Google is arguably better than many at preventing attacks, this does not mean the corporation is without severe problems.

The US government encouraged Chrome users to update their browsers again in February 2020, just weeks after Chrome 80 was released, due to high-rated security issues. The Google Play Store is another vulnerability, and in 2019, Google announced measures to improve the Play Store’s security and better protect customers from malware. Some of the software “cryptojacks” users’ phones, allowing hackers to mine the cryptocurrency Monero on them.

Because Google relies so heavily on the collecting of tailored data, and because the average consumer may not realise how much data Google collects, any lapse in Google’s defences may be disastrous. It doesn’t help matters that Google has been chastised for failing to encrypt customer data. It’s difficult to trust Google when it admits to storing GSuite user passwords in plaintext for a limited number of commercial users from 2005 to 2019.

Data Protection and how is it important?

Have you ever made a phone call or filed taxes? Do you have access to a smartphone? Have you used the internet before? Do you use a fitness tracker or have a social media account? If you responded yes to any of these questions, you have been sharing your personal information with private or public institutions, both online and offline, including some you may have never heard of.

Sharing data has many advantages, and it is frequently required for us to perform daily jobs and interact with others in today’s culture. However, it is not without dangers. Your personal data indicates a lot about who you are, what you think, and how you live. These data can readily be used against you, which is especially harmful to vulnerable people and communities like journalists, activists, human rights advocates, and members of oppressed and disadvantaged groups.

Problems can occur when data that should be kept private falls into the wrong hands. A data breach at a government agency, for example, may provide hostile state access to top-secret material. A data breach at a company can put confidential information in the hands of a competitor. A school security breach might put kids’ personal information in the hands of criminals who could use it to commit identity theft. PHI can fall into the wrong hands if a hospital or doctor’s office suffers a data breach. As a result, these data must be kept under absolute confidence.

The processes, safeguards, and binding rules put in place to protect your personal information and ensure that you retain control over it are referred to as data protection. In summary, you should be able to choose whether or not to disclose the particular information, who can it be accessed by that does with for how long, and for what purpose, as well as edit parts of it.

As the amount of data collected and stored continues to expand at unprecedented rates, data protection becomes increasingly important. There is also minimal tolerance for downtime, which might prevent crucial information from being accessed. As a result, ensuring that data can be restored swiftly after any corruption or loss is has to be considered as an important aspect of a data protection strategy. Other important aspects of data protection include preventing data compromise and guaranteeing data privacy. Millions of employees were involuntarily made to work from home due to the coronavirus epidemic, necessitating the necessity for remote data protection. Businesses must adapt to guarantee that data is protected wherever employees are, from the office data centre to personal computers.

What has government done so far?

Till date, there can be seen no national regulatory authority in India that works for the protection of personal data of the citizen of the country. The Ministry of Electronics and Information Technology is in charge of enforcing the IT Act as well as releasing guidelines and other clarifications. Enforcing the IT Act is the responsibility of the authorities established under the IT Act, that are the adjudicating officer and cyber appellate tribunal, and then the several High Courts and the Supreme Court.

The Rules promulgated under Section 43A of the IT Act are only applicable to bodies corporate or individuals based in India. Except in situations covered by the Rules, the provisions of the IT Act apply to any offence a person commits outside India using a computer, computer system, or computer network located in India.

India recently banned a total of 118 Chinese apps. According to sources, the prohibition is based on Section 69A of the Information Technology Act and is a result of these apps’ illicit data gathering activities. These apps were discovered to be collecting a lot of data about its users without their permission. Data from users’ clipboards, GPS positions, and critical network-related information such as IP, local IP, MAC addresses, WIFI access point names, and so on were all collected. Some of the apps were found to set up local proxy servers on users’ devices in order to transcode media without their authorization.

The Personal Data Privacy Bill (PDPB), which is now in draught form, said to be one of the most extensive data protection laws in the world, and in some aspects, harsher than the GDPR of the European Union. The bill proposed by the PDP has a greater scope. It will apply to both Indians and non-Indians in the context of companies conducted in India, the provision of goods or services to individuals in India, and the profiling of individuals in India.

Both Indian and non-Indian corporations are subject to the PDPB. Even if a corporation has no physical presence in India, the PDPB nevertheless applies if it: sells goods and services to Indians, profiles Indians; accepts rupee payments; ships things to India, or advertises to Indian clients. Surprisingly, if your organisation employs personalised advertising and your website is accessible in India, you must follow the PDPB’s guidelines. The point comes out to be true even if one is not throughly looking for Indian customers or clients.

So, why do we need the PDPB’s severe data protection regulations? The value of data is increasing all the time. Furthermore, abilities and opportunities for retrieving various sorts of personal data are rapidly evolving. Unauthorized, careless, or uneducated processing of personal data can be extremely harmful to both individuals and businesses.

Conclusion

To begin with, the goal of personal data protection is to safeguard not just a person’s data but also the fundamental rights and freedoms of those who are affected by that data. It is feasible to protect personal data while still ensuring that people’s rights and freedoms are not compromised. For example, improper personal data processing may result in a person being passed over for a job chance or, even worse, losing their existing employment.

Second, failing to comply with personal data protection standards can lead to far more serious consequences, such as the theft of all funds from a person’s bank account or even the creation of a life-threatening situation by tampering with health information.

Finally, data protection measures are required to ensure that commerce and service offering are fair and consumer-friendly. Personal data protection legislation creates a system in which personal data, for example, cannot be freely sold, giving people more control over who makes them offers and what kind of offers they receive.

If personal data is released, it can harm a company’s reputation as well as result in penalties, which is why it’s critical to follow the legislation of personal data protection. To protect the security of personal data, it’s critical to understand what data is being processed, why it’s being handled, and why it’s being processed on what grounds. It’s also crucial to figure out what safety and security measures are in place. All of this is achievable thanks to a complete data protection audit, which determines data flow and compliance with data protection standards. The audit can be completed by answering a set of questions that have been designed specifically for that purpose. The findings will provide a clear picture of the operations as well as any potential data leaks, which can subsequently be addressed.

Author: Riya Raman, Bennett University

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s