Over the years, many organizations such as banks, security agencies, and governmental agencies have been victims of one of the countries’ biggest fallouts. The data breach has been a huge problem for many companies because they become responsible for the leak of any important information that could protect the company of their strategies. In the same way, companies do adapt to better systems that encourage the safeguard of information. A violation of data is a kind of security incident. It occurs when data is obtained without a permit. Personal information, such as numbers, passwords, and financial account numbers, could be included in the information accessed. Sometimes, the breached data is sold or traded on the dark web and can be used to commit crimes such as identity theft. A cyberattack often takes place first. A breach of data could follow. Both events can influence you. The damage could range from data loss on your laptop to access to certain government services blocked.
Also, in leading nations subject to data breach and theft for years, India has been listed, and no considerable action has been taken to impact this significantly. Also, Indian businesses that allow workers to work from home have not prepared them to deal with how to safeguard themselves from unauthorized access or use. These businesses have become a lame target for cybercriminals, causing cybersecurity breaches to increase massively. Data breaches can occur primarily via staff or through technological means through two channels. To prevent data breaches, companies must take adequate steps on both fronts. Businesses still need to safeguard themselves from new threats, such as cyber-attacks on cloud-based software applications, which are now being used by almost all companies to facilitate in-home collaboration.
In the first quarter of 2020, India witnessed a 37 percent increase in cyber-attacks than the fourth quarter of 2019. Kaspersky reported that between January and March 2020, it detected around 52 lakh cyber threats affecting Indian organizations, while the number of threats detected in the fourth quarter of 2019 was 40 lakh. It was highlighted that India ranked 27th in the number of threats detected in the first quarter of 2020 worldwide, compared to 32nd in the fourth quarter of 2019 worldwide. Also, in the number of security incidents caused by servers hosted in the country, India ranked 11th worldwide, with 22 lakh security incidents in the first quarter of 2020, compared to 8 lakh incidents in the fourth quarter of 2019.
The Juspay data breach became a highlight of the week as over a million users lost their data to hackers across the dark web.
The Juspay Data Breach
It was found that sensitive information from over 100 million credit and debit card users has been leaked on the dark web in a breach of Juspay’s servers. Reportedly, the leaked data includes the cardholders’ full names, phone numbers, and email addresses, along with their cards’ first and last four digits. For e-merchants like Amazon, MakeMyTrip, and Swiggy, Juspay offers payment processing services. Juspay also acknowledged that in August 2020, the data of some of its users was compromised. It was realized that between March 2017 and August 2020, the breach and data leak took place. The personal details of several Indian cardholders and their card expiry dates, customer ID info, and card numbers with digital digits fully visible where the information is found on the dark web (1).
Notably, though, the leaked data did not include transaction and order details. Although it was found that Juspay users’ leaked information was masked in places to reveal only partial copies of card numbers, the breach still leaves users susceptible, if not a financial scam per se, to phishing scams. Users’ leaked data is being sold for an undisclosed amount on the dark web. In a statement, a Juspay spokesperson said that on August 18, 2020, an unauthorized attempt was made on its servers. It was terminated, however, and no financial credentials or transaction information were compromised, it added. “Some data records containing non-anonymized, plain-text email, and phone numbers were compromised, forming a fraction of the ten crore data records.” He also revealed that his merchant partners were informed about the data leak (2).
The phone data and email IDs of the users are included in another subset of the leaked database. To reveal only partial copies of card numbers, the leaked payment information was masked in places. While this decreases the potential for a financial scam, resourceful hackers could still use the data to launch phishing scams to induce victims to hand over their card data.
How India has been a subject of Data breaches
The Information Technology Act, 2000 (3) requires that corporate bodies, such as enterprises, businesses, sole proprietorships, and other groups of individuals engaged in commercial or professional activities handling sensitive personal information, are subject to liability for any losses incurred by their recklessness in establishing and managing reasonable security practices and information Although the IT Act is quiet on what constitutes’ reasonable security practices and procedures,’ without providing a clear definition, the SPDI Rules offer examples of these standards. The IT Act also provides for criminal penalties, which include both imprisonment for a period of up to three years and a fine for persons, including intermediaries, who disclose personal information without the permission of to whom the information belongs, in breach of the contract concerned, or for the loss or gain that is wrongful.
Several cyberattacks on organizations in India have been reported, causing a huge financial impact on banks and their users. Security firm Quick Heal Technologies has recently identified a new wave of Adwind Java Remote Access Trojan (4) campaign targeting Indian cooperative banks by taking advantage of the COVID-19 pandemic. The firm warned that attackers tried to control employees’ devices to steal sensitive information such as SWIFT logins. “These banks are generally small in size and may not have a large team of trained cybersecurity staff, which may have made them a target for cybercriminals,” said Quick Heal.
The cybersecurity policy (5) was published with a mission to protect information and information structures, prevent and respond to cyber threats, and minimize the damage caused by cyber incidents, anticipating the IT industry’s growth and the resulting need for a cyberspace policy. In short, the policy seeks to create a secure cyber ecosystem in the country with a regulatory framework for assurance and establish a mechanism for monitoring and responding to threats. It also calls for the development of indigenous security technologies and creating a workforce of cybersecurity qualified professionals. By establishing several plans to minimize supply chain risk, raise awareness of cybersecurity, develop private-public partnerships, and strengthen bilateral and multilateral cooperation at national and global levels, the policy document seeks to reduce the risk of cyber threats.
Data breaches during the pandemic in India
The emergence of COVID-19 revealed the shortcomings of the existing cybersecurity policy yet further. Everyone has to work from home, not within their organizations’ firewalls, which led to increased data breaches and security breaches. According to a survey carried out with employees across organizations in India, Sixty-six percent of them faced at least one data breach. In March, when the lockdown began in June, security experts observed a 500 percent growth rate of cyber vulnerabilities and security breaches and a 3 to 4-fold increase in the number of phishing scams. According to a survey by the Data Security Council of India, there’s also been an increase in the number of financial transactions, increasing fraudulent attacks (6).
Data breaches over the years in India
- BigBasket data breach (7): BigBasket, one of India’s popular e-grocery startups, had tangled in a security breach that compromised the data of nearly 20 million users. The cybersecurity research firm Cyble’s blog said that their research team discovered that the BigBasket database was sold in the cyber-crime market for over forty thousand dollars. BigBasket confessed that a violation had occurred. Although BigBasket said it was assessing the infringement; the same has not been updated. The data included names, 3e – mail IDs, hashes for passcodes, PINs, contact information, addresses, dates of birth, locations, and IP addresses. Cyble said it did find the data on October 30 and confirmed the apparent breach to BigBasket on November 1 after comparing it with BigBasket customer data to validate it.
- Unacademy data breach (8): With more than 10 000 registered teachers and 13 million students, Unacademy is one of India’s leading edtech platforms. In January 2020, Unacademy was targeted by a data breach, resulting in the exposure of more than 20 million user accounts that were eventually sold on the Dark Web. Unacademy had confirmed that a breach was suffered while ensuring that no sensitive data was compromised. The business is performing a full background check and will address any potential security loopholes. Cyble has acquired the leaked database containing account details of 2.1 million Unacademy users. Currently, Unacademy is establishing accurate data safe procedures to prevent any more breaches in the future.
- SBI data breach (9): India’s state bank, the nation’s largest bank, has leaked data from millions of its account holders. Data such as bank balances and recent transactions were visible online in the SBI data leak because of the leak. The server was used to host client banking information using ‘SBI Quick’ – the bank’s text and call-based service to keep balances, recent transactions, and credit information updated. The information from SBI Quick was out in the open without a password-protected server. The whole leak episode was due to poor configuration by server administrators and lack of server management. The SBI data beach aftermath ensured the bank establish proper data servers to prevent the breach.
- Justdial data leak (10): A security breach in JustDial systems, a local search services provider based in India, left data vulnerable to around 156 million users. After a security researcher flagged the problem, the flaw could allow an attacker to access accounts without the user’s knowledge; the company managed to patch the bug. It is said that JustDial’s website, mobile app, and voice platforms were affected by the bug. JustDial explained that no data or money losses had been reported as of now. A hacker uses the phone number of JustDial as a username and gains access to the account by exploiting the bug. The bug enables hackers to change account details for JustDial’s payment option, which they also revealed.
The Juspay data breach is now among the list of the biggest data breaches in the country. Juspay could say they are doing everything they can, but sorry to burst your bubble; it will take another five years before something as deadlier than the virus can be done. Though, the Juspay incident comes after many who suffered the same proves to show how irresponsible the country’s technology stands today. The rand of applying a good protective shield of millions who sign on your platform yet be held by the neck with fear shows how careful we must be before even thinking of registering on one of these financial applications as it is a matter of our financial security. The data breach isn’t the end, and there will be more of these incidents in the coming months ahead unless one takes it as the real deal.