How could a Data Breach Impact you?

How could a Data Breach Impact you?

by | Jun 8, 2021

Background

In the digital world large organizations, holding voluminous data are the desired target for data hackers who execute such data breaches. These data breaches not only expose security lapses within the organizations but also puts user privacy at risk.

Data Breaches are security incidents that could lead to accidental or unlawful access and disclosure of personal data. Thus, data breaches could involve acts whereby information belonging to an organization is accessed, stolen, and used by a cybercriminal without authorization.

Data breaches in India

Second only to Japan, India is the most targeted country by cyber hackers in the Asia Pacific.[1] Over 313,000 cybersecurity incidents were reported in 2019 alone, according to the Indian Computer Emergency Response Team (CERT-In), the Government agency responsible for tracking and responding to cybersecurity threats. The trends continued to rise, and the first quarter of 2020 saw a 37% rise in cyber security incidents as compared to 2019.[2] Growing trends of data breaches require a closer scrutiny on how they affect individuals and what is the price of their stolen data.

An IBM report[3] states that the cost of data breach in India, is USD 2 million as compared to the global average of USD 3.86 million. While the cost of data breach is low in India, the return on stolen personal data remains high.

On 15th May, 2021 Air India published a statement notifying about a data security incident with its data processor company SITA, which led to breach of personal data belonging to 1.5 million Air India customers. A few days later, on 21st May, it was revealed on Twitter, that hackers accessed India’s data base of Domino’s and personal details of its customers and employees had been exposed. The impact on data security and privacy due to these two data breaches is considerable as they cumulatively exposed personal data of 22.5 million users.

Hackers behind the Jubiliant Foodworks’ (i.e., the company holding franchise rights for Domino’s pizza in India) data breach claimed that they had access to all internal files belonging to 250 employees of various departments. It was also claimed that they had access to customer details as well as 180 million order details containing name, phone number, email, delivery address, payment details along with access to 1 million credit cards details, used for purchasing on the Domino’s app.[4] However, on 20th April although Jubilant Foodworks confirmed the breach and issued a short statement but denied any leak of financial data claiming that it does not store such data on its servers.

In case of Air India data breach, it was its processor (SITA) which suffered a data security incident, and personal data belonging to various airline companies was exposed, Air India being one of them. The breach exposed full names, date of birth, contact information, passport information, frequent flyer data of Air India customers.

How hackers can misuse your personal data?
A data breach incident, results in unlawful access to personal information and hackers who initiate the breach usually make inventories and sell this personal information (which may include sensitive personal information) to data brokers who then monetize on that data. While the risks associated with data breaches, depends on the kind of data stolen, generally hackers tend to do the following things with stolen data:

Holding the stolen data for ransom
Conducting identity theft of the users for committing financial or other frauds (e.g., transferring money from your bank account by creating a fake identity)
Targeted phishing attacks on the users for the purpose of extortion
Profiling the individuals on the basis of caste, race, political or religious beliefs etc. for targeted marketing or influencing their thoughts
Selling personal data to other criminals/ data brokers who may carry the above activities
Hackers target all sorts of personal data, but certain categories of personal data fetch more price than others. Generally, a full set of someone’s personal information including identification number, address, birthdate, and possibly credit card info costs between $1 and $450 with a media cost of $21.35.[5]

Price for personal data also varies based on the country of the individual whose data is being sold. American card data along with CVV number and some other detail sell for $5-$8; while a European card will sell between $25-$30. The price increases with increase in detail and a full card detail can go as high as $45 for European Union card.[6]

The personal data of stolen/ exposed from the Air India and Domino’s can be sold for a lot of money on the internet. It was reported that hackers of Domino’s data breach, demanded nearly INR 4 crore (USD $550,000) for a 13TB database.[7]

Discovering a data breach is just the tip of the iceberg, post discovery while the companies set pace for damage control, there are high chances that the personal data stolen by threat actors has already been sold to other entities preying on such data. A robust security program, with a quick response precure seems to be the key to prevent such data breaches. Legislative regulations concerning these areas play a key role in case of data breach incidents.

Current Legislation in India relating to data security and protection.
The IT Act and the rules framed thereunder

The IT Rules framed under the Information and Technology Act, 2000 (“the IT Act’) define cyber security breaches as unauthorized acquisition or unauthorized use by a person as well as an entity of data or information that compromises the confidentiality, integrity, or availability of information maintained in a computer resource.[8]

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“the SPDI Rules”) govern the framework of personal data security in India. Section 43A of the IT Act, obliges a body corporate to follow reasonable security practices and procedures. The SDPI Rules contain reasonable security practices that body corporates can follow in relation to security of personal data and sensitive personal data. However, the SDPI Rules do not lay down any specific security practices, rather they suggest certain security procedures such as the ISO 27001, which may be adopted by body corporates voluntarily.

The SDPI rules oblige body corporates to have a privacy and security policy. It also regulates data collection and transfer of such personal data. However, it does not prescribe, any specific regulation for handling data breaches.

While organizations do claim to fulfil the primary obligation of maintaining reasonable security practices as prescribed in these regulations, but from the IT Act standpoint the organizations are free to decide their course when it comes to data breach reporting.

Indian Computer Emergency Response Team (CERT), it is the nodal authority appointed by the Government of India, under the IT Act, and operates to deal with cyber security risks and cyber-attacks. CERT operates under the Department of Electronics and Information Technology, Ministry of Communications and Information Technology, GOI has been formed to address all types of cyber security incidents in India and render support in such cases, CERT Rules specifically talk about data breach reporting.

Under the CERT rules, cyber security incidents such as targeted scanning of critical infrastructure, compromise of critical systems, unauthorized access of IT systems, cyber-attacks on critical infrastructure, attacks on E-Governance and E-Commerce applications etc., are to be mandatorily reported to CERT by the affected corporate entity, organization or individual, within a reasonable time.[9] However, data breach reporting pursuant to the CERT Rules have been low.

The Personal Data Protection Bill, 2019

Issues relating to data security and data breaches are elaborately covered in India’s Personal Data Protection Bill, which currently awaits legislative assent.

The PDP Bill, section 25 mandates data fiduciaries to report breach of personal data to the authority, where such breach is likely to cause harm to the data subject. It further specifies the particulars which should be there in a data breach notification to be sent to the Authority (i.e., the regulatory authority to be constituted under the law).

In case the data fiduciary fails to notify the data breach to the Authority in accordance with section 25, a penalty of ten thousand rupees for each day during which such default continues, subject to a maximum of twenty lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases is proposed.[10]

However, an obligation to inform data breach to the affected data subjects is not triggered unless, the Authority decides so. Thus, only upon assessment of the data breach and pursuant to direction of the Authority, data fiduciaries become obliged to mandatorily inform the data subjects. Furthermore, in the course of assessment if it is determined by the Authority that there has been a breach of security obligations as prescribed under the law, a penalty of fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher can be imposed.

Conclusion
With the rise of technology and everyday computing, incidents of data breach are expected to increase with every passing year. Hacking groups, have seen an expansion in their size and growth. Such incidents could be a big threat to the organizations and the individuals whose data is compromised. Given the rising frequency of data breach incidents and far-reaching implications, India needs to expedite the enactment of the PDPB as the same would serve as a fundamental legislation for governing data breach incidences.

[1] IBM, ‘IBM 2021 X-Force Threat Intelligence’ (IBM 2020) https://www.kommersant.ru/docs/2018/IBMXForceThreatIntelIndex2020.pdff>

[2]Abhinav Singh, ‘India sees 37% increase in data breaches, cyber attacks this year’ The Week

[3] IBM, ‘Cost of a Data Breach Report2020’, IBM Security,

[4] Post by Dominos hacker group – https://raidforums.com/Thread-SELLING-Domino-s-India-Data-Breach-13TB-internal-files–133157

[5] ‘Here’s what your stolen identity goes for on the internet’s black market’, Quartz,

[6] ‘The Hidden Data Economy’, McAfee

[7] Tweet by Alon Gal – https://twitter.com/UnderTheBreach/status/1383673094963822597?s=20

[8] The Indian Computer emergency response team and manner of performing function and duties Rules, 2013, Rule 12

[9] The Indian Computer emergency response team and manner of performing function and duties Rules, 2013, Rule 2 (i)

[10] Section 59 Personal Data Protection Bill, 2019

Reach Us

*In association with Moore, UAE

Disclaimer

As per the rules of the Bar Council of India, we are not permitted to solicit work or advertise for our services. The user acknowledges the following:

  • there has been no advertisement, personal communication, solicitation, invitation or inducement of any kind whatsoever from us or any of our members to solicit any work through this website;
  • the user wishes to gain more information about us for his/her own information and use;
  • the information about us is provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site would not create any lawyer-client relationship.

    • You might have been redirected to this website if you accessed ReinaLegal.in or Headsup.in since both the firms have merged to form ReinHeads.

    I AGREE