Data is the most invaluable asset in the information era, is tricky to hold and even more complicated to safeguard. India has witnessed a 37% increase in data breaches in 2020 compared to the first quarter of 2019 (1).
The tech industry gapes with a steadfast dilemma when the hackers slowly feed on their databases. According to an IBM study report (2), the country’s minimum cost of leaks reached up to 14 crore INR last year. Such statistics put India as one of the top nations across the globe in cybercrime.
The WFH, work-from-home scenario has led to a massive digital transformation. And according to a digital monitoring company, more than 15 billion credentials were up for sale with the close of the coronavirus pandemic resulting in lockdown (3).
According to market experts, BigBasket data leak is the biggest loot in the country’s cyberspace. A global security company reported that fraudsters had leaked the information of over 20 million user accounts in the cybercrime market. They manifested the breach on October 30, 2020, and soon put it on sale for 3 million INR. By November 7, 2020, when the company agreed to the leak, the news was confirmed (4).
In the preceding months, India witnessed several major breaches that shook the market. It includes cases such as Haldiram Snacks Pvt Ltd, a sweet seller, narendramodi.in, the Indian PM Narendra Modi’s personal web portal, Bharat Matrimony, an online matrimonial services, and IRCTC, Indian railway’s online ticketing platform. Notably, Paytm Mall, an e-commerce firm, and Dr. Reddy’s Laboratories also witnessed attacks last year.
Read Also: Cyble: A Creditable Firm or Cyberpunk?
Facebook Data Leak
Earlier this week, we received the news of a Facebook data leak where login details of over 533 million users globally were leaked online for free, with 6 million of them being Indian.
Hackers leaked details like Facebook credentials, phone number, locations, and other information of these users. Alan Gal, a security searcher, found a user on a hacking forum has publicly released the entire dataset for free.
Alan claims that the data was first released in January when the user ‘advertised an automated bot that could offer phone numbers of millions of Facebook users for a price.’ The user has now leaked the entire Facebook data to the public. The data includes phone numbers, Facebook IDs, email IDs, names, birthdate, location, etc., of more than 500 million users across the globe.
According to a Business Insider report (5), out of the 533 million users from over 106 countries, more than 6 million users are Indian.
The hacker also publicly released the data of more than 32 million American users and over 11 million UK users.
Facebook told the media that fraudsters had taken advantage of a vulnerability that the company fixed in 2019. However, they might have had the information access before it could fix the bug.
Gal told Insider that a database of such massive size containing users’ private information like phone numbers of Facebook’s users would undoubtedly lead to bad actors taking advantage of the data for social engineering attacks or even hacking attempts.
Considering that sensitive data is already publicly released, hackers can take advantage of it and perform all kinds of attacks to gain more information.
It is also worth highlighting that it is not the first that hackers used Facebook’s vulnerabilities to their advantage and snatched sensitive information. Back in 2019 (6), hackers had exposed more than 419 million Facebook users’ phone numbers on the internet. The social media giant confirmed parts of the claims; however, it downplayed the report’s exposure extent. It stated that the confirmed account number has so far been around half of the reported 419 million.
The same year, details of more than 540 million Facebook users were accessible publicly after a massive cache of unprotected data was discovered on unsecured Amazon servers used by a Mexican social media company.
One can check if their credentials were part of the list by visiting CyberNews’ personal data leak check, an online repository of known credential leaks. If your data are among the ones leaked, we recommend you change your password immediately. Everyone should do that monthly anyways.
Data Leaks and Regulations in India
India, today, has relevant needs for online data. However, without adequate regulations, rules, and protection policies in check, it is cumbersome for the entire country. The Indian Cyber law is a single act in-store, the Information Technology Act 2000, that defines cybersecurity as lip service to its cybersecurity legal framework.
After studying several cases reported in the past two years, the pattern indicates the attacks focus on the Indian government registers and agencies, putting out the message that our country’s databases are unsuccessful at protecting their sensitive information.
Data breaches of our government online portals are a matter of grave concern for India. The official information such as the voter’s ID number, Aadhar card details such as retina scan, fingerprints, and health reports are all around in parts of the dark web with the ‘for sale’ tag.
The police department’s examination of 5 lakh candidates’ database leak was on sale in the dark web’s database sharing forum at the end of 2019. Officials traced the leak on December 22, 2019, and found that the information is of Bihar candidates who attempted the exam (7).
The National Health System that compiles blood groups, blood test charts, and medical history, sources the country’s economic base. In August 2019, according to a Chinese hacker group, Falkensky 519, the health care records of over 68 lakh doctors and patients were leaked.
A similar situation surfaced when the coronavirus test results of Indian patients were accessible in the Google index earlier this year. Even though the information was not commercialized, it was kept open for access. The incident happened in January 2021, where the lack of security in government websites again led to the stranded data.
The data leak amount in India has still not plummeted. On March 29, 2021, MobiKwik, a payment app, came under the limelight for an alleged data leak. Reports stated that it had exposed data close to 8.2 tb, including KYC, Know-your-customer details, phone numbers, addresses, and Aadhaar card details of its users on the dark web. But, the company has denied all the claims regarding the breach.
Even if the data was out in February, there is now a link circulating in the dark web disclosing its users’ personal details (8) because of the company’s ignorance to accept it.
Cybersecurity and Data Privacy in India
While the world considers India as an export hub for engineering talent and among the fastest-growing tech market, there are still many scopes to make improvements when it comes to cybersecurity and data privacy.
Recently, India stood at 19th place on the ranking of 21 countries in the National Privacy Test, according to a VPN, virtual private network provider, NordVPN recent survey.
The company had launched the survey in November 2020 and assessed the privacy awareness, digital habits, and risk tolerance of more than 48k participants across the globe.
India scored 51.1 points out of 100, while Germany topped the table with 71.2 scores. India received about 37 points for digital habits, 57.6 for privacy awareness, and 65.2 in risk tolerance. In parallel, the global tallies in this criteria were 47.1 in digital practices, 72.2 in privacy awareness, and 84.2 in risk tolerance. Overall, the country scored 4 points below the 71.2 global average, one of the worst performances by nations with similar economies.
Several factors contribute to India’s failure in the global privacy test. The NordVPN test highlighted that India is the worst country regarding paying attention to the term of services in services and applications they use. Their survey outlined that India should concentrate on five aspects to turn the situation around (9).
- Avoid sharing sensitive data on social media platforms.
- Understanding the importance of reading terms of services of online services and mobile applications.
- Using different tools to become more private online
- Facebook’s ability to collect people’s data who don’t even have an account on the site
- Securing their personal WiFi network
The test further revealed that Indian users understand the security benefits of creating strong passwords, updating apps as soon as possible, how malware infects devices, and how to react to online privacy threats.
It is interesting to highlight that Japan performed the weakest in the National Privacy Test with a 44.4 overall score despite being among the most digitally competitive nations. It scored 34.8 points in digital habits, 45.3 points in securing online privacy, and 57.7 points on reacting to online privacy threats.
Are Indian Users to Blame for the Country’s Performance?
Even though the National Privacy Test focused solely on users, companies in the country are also not doing any better in managing cybersecurity and user privacy.
Indian firms have been subjected to several significant cybersecurity attacks, which have compromised millions of users’ privacy. In 2021 alone, data of more than 200 million Indian users were compromised with the data leaks of two fintech startups Mobikwik, and JusPay.
The data leak of over 100 million users of JusPay, a mobile payment solutions firm, was severe as the leaked data includes sensitive financial details such as users’ card brand, the last four digits of the card, card expiry date, card name, card fingerprint, card ISIN, merchant account ID, customer ID, and several other details (10).
As we talked about before, the Mobikwik data breach of over 110 million users includes the financial and personal details of customers and merchants that have procured loans for the platform. However, the company has denied any breach; even Bipin Preet Singh, the CEO of Mobikwik, is blaming users (11).
According to the data, a state-owned CERT-In, Indian Computer Emergency Response Team, bad actors hacked more than 26,100 Indian websites in 2020. It includes 110 central ministry websites, 54 departmental websites, and 59 state government sites. It is also worth noting that bad actors hacked over 17,560 websites in 2018 and over 24,768 in 2019 (12).
Considering the increased volume of data breaches and more significant hacking attempts, the Indian government had decided to strengthen its cybersecurity infrastructure. It launched a policy in January 2020 (13). However, there has been no update on that since then.
Nevertheless, the Indian government has taken several other measures such as Cyber Swachhta Kendra, a botnet cleaning and malware analysis center, cyber crisis management plan formulation, and security auditing organization empanelment to support and audit the best practices implementation.
Even RBI, the Reserve Bank of India, has also decided to take action on the data breaches and leaks and has finally decided to update its policies and tighten supervision rules and regulations (14).
Cyber Attacks in the Post-COVID Era
In the coronavirus pandemic, businesses went altogether remote overnight, and they had to give their employees all access outside the office network. All the areas where employees were present were accessing customer information. Businesses had to work hard to ensure the team’s soft landing and quicken solutions to adapt to the new reality, be it building new products, or modifying existing ones to make themselves work from home ready!
For instance, Zomato had to re-think its gold membership (15), and Cure Fit did an excellent job of transitioning into online fitness sessions (16). Unfortunately, when all of these were happening, security was not the first thing in the mind of businesses, and hackers knew how to exploit it.
Cyber attacks on some of the most prominent Indian startups such as JusPay, BigBasket, WhiteHat Jr, and Unacademy took the industry by storm during the pandemic in 2020.
While several of these incidents made headlines across India, several small-scale attacks have remained unreported. Different incidents of malware-infected websites and daily hacks are going unnoticed because they are not well-known at the scale of BigBasket or Zomato.
While these data leaks were significant, the incident response was also commendable by these Indian startups. They issued relevant public statements, explained what went wrong and the steps they took to remediate things. They indeed handled the situation both professionally and responsibly.
However, the idea is to ensure that these incidents never happen in the first place. And even if they do happen, it should be of a scale much more diminutive. It is only possible with regular security audits, early threat detection, and real-time protection (17).
The days are long gone when companies could consider their technology plan secondary to other processes. Considering the current scene, where startups and SMEs are taking their businesses digital overnight, a robust technology strategy is needed to define these institutions’ overall business strategy (18).
According to the World Economic Forum, cybersecurity is the topmost concern for CEOs across the world (19). A Barracuda Networks survey (20) highlighted that 66% of Indian companies have at least one cybersecurity incident or data breach since starting the remote working model amid the coronavirus pandemic.
Protecting Your Company from Cyberattack in 2021
Here are five simple ways one can protect his company against a cyber attack in 2021.
One of the most significant data leak sources is misconfigured servers such as Azure, AWS, and Google Clouds. As the company expands, it is pretty evident that its infrastructure also grows at a faster pace. It increases the attack surface for bad actors, and such a new server’s setup while evolving to meet demand often has certain security loopholes that can be fatal.
There have been several reports of the massive surge in cases where hackers took advantage of misconfigured servers to access the secret key. It essentially lets them access millions of records. When companies ensure that their servers are checked internally and audited by external security companies for the best configuration from a security perspective, it serves as the best key for cyber protection.
Getting Regular Security Audits
We can’t put more stress on it. As more new features and codes are rolling out, one needs to conduct more frequent security audits. Market experts recommend that businesses should at least get vulnerability scans monthly to reveal vulnerabilities before hackers. Make such vulnerability assessments a part of your business’s development cycles.
When your data is encrypted while in transit and at rest, even in the worst scenario of a data breach, hackers would not be able to find the sensitive data in plain text. Hence businesses need to ensure that all their data is stored in an encrypted format with strong encryption.
It makes data selling even more difficult for bad actors since robust encryption algorithms take heavy computation power and even decades to decrypt.
Make Your Security ‘Brag Worthy’
Suppose you are continuously making your mobile app or online portal secure. In that case, you should tell your audience the steps you are taking and how much you value your customers’ trust in your application by sharing their data. Why wait for a data leak to talk about the best security practices you have followed?
Training Team and Social Engineering Prevention
There is a perception in the cybersecurity world that humans are the weakest security link. With the planet earth going all ‘remote,’ it becomes even more real since, in an office setup, one can be ensured that specific security standards are fulfilled when customers access critical data from the office network.
But now, since the world has become our office network, it means that apart from investing in VPNs, and other secure remote access tools, training employees to prevent targeted phishing attacks and other techniques bad actors use to trick employees into offering them sensitive data is the key.
While we are still pondering about data breaches in India, the situation in cyberspace is worsening. Yet, cybersecurity awareness, stringent law, victimization acknowledgment of several malicious activities can curb the predicament.
It is high time for users to act for their safety and privacy because, as market experts and researchers say, there is nothing a user can do once the information is out.