This has not happened for the first time. Yet, it escaped the attention of many. The data leak story that hit the headlines last week has raised an alarm over the kind of risk we all face in this digital world.
A report from cyber security experts claimed that a database of around 3.5 million customers linked with fintech service provider MobiKwik has been put on sale on the worldwide dark web.
An anonymous hacker has offered to sell 8.5 terabyte database, containing email id, phone number, password, physical address details, soft copies of identification documents etc. for US$ 75,000, payable in cryptocurrency.
For an average Indian citizen, one terabyte data actually means around 500 two-hour long movies. It is difficult to even imagine how much data 8.5 TB would contain!
MobiKwik is one of the first companies, to have launched the online payment solutions and wallet. Like PayTM, it had acquired millions of customers quite quickly. Instead of resolving this sensitive issue, the expert who initially brought up this issue was targeted in a vilification campaign. Not only this, attempts were made to even close his social media accounts.
The company conveniently denied the incident and claimed that it has not observed any data breach in the month of February 2021 as claimed by the hacker. However, when the Reserve Bank of India took note of the incident, it had to agree to conduct a forensic audit.
The company also mentioned that the users could have uploaded their information on several other platforms, it would be difficult to say that the database was leaked from its website.
On the one hand the company accepts the vulnerability of data but on the other, it did not even accept any data breach, forget informing the customers, whose data has been put on sale. And so is the case with many other companies. However, we as consumers are more vulnerable in the current scenario than ever.
With the pandemic disrupting businesses, companies were quick to adopt work from home as the new norm. Clearly, the database that the employees initially accessed from a closed environment in an office set-up, was opened for remote access. It has certainly been a boon for cyber criminals, who look for such opportunities. Small wonder that the year 2020 saw one of the largest number of data breaches globally. The threat has been increasing by leaps and bounds, considering that the pandemic will stay for another few years.
Kaspersky, an antivirus company, has revealed that the total number of brute force attacks against remote desktop protocol (RDP) increased from 93 million in February 2020 to 277.4 million in March 2020 when the world went into strict lockdown. One can imagine the kind of risks we all face.
In India alone such attacks shot up from 1.3 million to 3.3 million in the same period. Since April 2020, monthly global attacks never went below 300 million, touching a new high of 400 million in the month of November. India recorded the highest number of attacks in the month of July 2020 when data breaches crossed 4.5 million!
And there is no end to it. By the end of February 2021, India alone saw 9.04 million attacks. India may or may not be the favourite destination for foreign investors but it has certainly become one of the favourites for cyber criminals.
Be it Big Basket, JusPay, PayTM, Aadhaar or even the largest bank State Bank of India, all of them faced these attacks. In fact, even the much-publicised payment solution, Bhim app, could not evade such an attack.
Of late, personal information of around 5,00,000 police personnel was also put up for sale! Not only this, in the month of February, database of the army personnel posted in Jammu and Kashmir was also posted in the worldwide dark web. Imagine the ones who have been entrusted with the responsibility of protecting the common man — their database, too, is equally vulnerable.
Unlike other organisations, MobiKwik has been continuously denying claims of any data breach. And why should it not? The company is planning to announce an initial public offering (IPO) to raise US$ 200 to US$ 250 million in September this year. Such a news will certainly be a setback for its growth plans. However, going into denial mode and not taking necessary action, will do it more damage.
Be that as it may, the question that comes to mind is why is it easy for the hackers to attack Indian databases? What has made it more vulnerable, compared to other countries of the world. The answer lies in the legal framework.
Laws in India have been ambiguous over data privacy for a long time. However, in the year 2017, the Supreme Court of India held that the right to privacy was a part of the right to life and personal liberty as enshrined in the Constitution.
The ruling came in the light of questions raised over privacy issues, safety of biometric data and iris scans collected under the ambitious Aadhar scheme. The debate and the European Union’s initiative of implementing the general data protection regulation (GDPR) certainly forced the Indian government to think over legal provisions protecting data and privacy.
As a result, a personal data protection Bill was drafted. However, it was highly criticised on certain fronts and could not become a law. Many dubbed it as a tool that can be used for surveillance and invading the privacy of citizens in the name of national security.
The government has so far not been able to win the confidence of either the legislators or the common man. The focus should have been on holding constructive discussions to modify the Bill. Meanwhile, hackers are certainly having a free run.
While digital India has certainly opened new avenues for start-ups, it has also given way to new and complex forms of cyber-crime. At stake is the privacy and security of the common man, who in any case, has no means to protect himself.
He is certainly at the mercy of the powers that be and the tech firms he relies on for simple payment solutions. They say trust begets trust. At no point should it be counter-productive.
(The writer, a company secretary, can be reached at firstname.lastname@example.org)