Is Your Data Safe?

From the very beginning, humans are after precious things. First, it was valuable metals, stones then came oil, and now everyone is after data. Data for every person is different for some; it is photos or videos; for some, it is lines of codes that they use to develop programs. Data is the most significant wealth of an individual, or a body corporate as the use of data has also increased the chances of a data breach, i.e., data theft or data leak. A data breach is an incident where perpetrators steal intentionally sensitive data of individual or body corporate without the knowledge or authorization. As digitalization increased, data is now stored on the cloud servers and more susceptible to attacks. Sometimes as employees invest their time in developing programs, they feel they have ownership over the program and steal the data. Recently, 1.3 million Indian debit and credit card information were listed for sale on the dark web is the most common data breach which happens. A CIO survey by Forcepoint and Frost & Sullivan found that 69% of Indian organizations are at risk of a data breach, with 44% of them encountering a data breach before and 25% failing to perform any breach assessment in the last 12 months. We at Netlawgic certainly think that Indian organizations, specifically SMEs, are not giving  Information Security much deserved importance, more so in today’s digitized world.

What is Data Theft?

Data theft, also known as data breaches or data hacking, is a growing problem in today’s digital age. With more and more personal and sensitive information being stored online, the potential for data theft is increasing.

One common form of data theft is identity theft, where a hacker gains access to personal information such as Social Security numbers, credit card numbers, and other sensitive information. This information can then be used to open fraudulent credit accounts or make unauthorized purchases.

Another form of data theft is known as corporate espionage, where a hacker gains access to a company’s confidential information such as trade secrets, financial data, and customer information. This type of data theft can have severe consequences for a business, as it can result in lost revenue and damage to the company’s reputation.

Data theft can occur through a variety of means, including phishing scams, malware, and unsecured networks. It is important to take steps to protect yourself and your business from data theft.

One way to protect yourself is to be cautious when clicking on links or downloading attachments from unknown sources. It is also important to use strong passwords and to regularly update them.

Another way to protect yourself is to use a virtual private network (VPN) when accessing the internet. A VPN encrypts your internet connection, making it much more difficult for hackers to intercept your data.

For businesses, it is important to have robust security systems in place to protect against data theft. This can include firewalls, intrusion detection systems, and regular security audits. It is also important to have a data backup and disaster recovery plan in place in case of a data breach.

Finally, it is important to be aware of the signs of data theft. These can include unauthorized charges on your credit card, unexpected credit inquiries, and the receipt of bills or credit card offers in your name. If you suspect that your data has been stolen, it is important to take action immediately by contacting your bank, credit card issuer, and the relevant authorities.

Data theft is a serious problem that can have severe consequences for both individuals and businesses. By taking steps to protect yourself and your business, you can help to reduce the risk of data theft.

How does data theft happen?

System Vulnerabilities – Often, operating system or antivirus programs are outdated which allows perpetrators to exploit the vulnerabilities of applications by inserting malware into programs and steal data.

Weak Passwords – User passwords are usually birthdates, names which perpetrators can easily guess and enter the system or account to access the data or sensitive information, Experts advise to have a complex password and to change the password from time to time.

Compromised Downloads – When an individual download programs or data from compromised websites which are infected by viruses like worm or malware, which gives unauthorized access to perpetrators and allow them to encrypt all the data gradually and ask for ransom to decrypt the information if not paid the ransom in time; then they delete all the files.

Phishing – Some perpetrators act as reputable companies and send emails to individuals to tempt them to reveal personal information, such as passwords, credit card information, UPI pin, etc. 

What are the modes of data theft / Unauthorised Copying of Data?

USB (Pen) Drives & Memory cards – These are the easiest and cheapest options according to these perpetrators and are very easy to hide. The memory cards are now coming in 512GB and 1 TB variants, so it has become even more comfortable to move a large amount of data in a small package. There is a considerable amount of rising in source code theft cases, wherein employees are copying the code and starting their own company or selling the system to a competitor company for a handsome amount.

Portable Hard Drives – These are also one of the popular mediums for the apparent reasons ‘Large Storage Capacity’.

CD/DVD – This medium was popular back in the days but has become obsolete now.

Email – Some perpetrators use email to transfer files from their official email account to personal email account or home computer; they move the data slowly over the period to avoid detection by the IT department. The perpetrators in this scenario are generally disgruntled employees. They send these emails to their private accounts on the pretext of working from home.

Web-Mail – Some web-mail interfaces provide larger file attachments than conventional email service providers.

Printing – Some perpetrators would not leave any electronic evidence behind; they take prints of the critical documents and steal the same in hard copies.

Remote Access – This can either be used in the way of unauthorized access (Hacking) or authorized access, as some organization provides remote access to their employees so that they can work from their home computers, this also makes tracing the data difficult for law enforcement agencies or private investigators.

Cloud – We have seen more than sufficient cases to date where the famous cloud services were hacked like a piece of cake. The hacked data is either held for ransom or sold on the dark web. Even though sufficient care is taken to see that these kinds of illegal hacking activities are blocked. Unfortunately, today’s hackers are not two but ten steps ahead.

What kind of data can be stolen/copied?

Everything stored in an organization or by an individual has some potential value; some of the targets for data thieves are as follows:

1. Customer contact & Financial data such as credit card and debit card information;
2. Source codes & Algorithms;
3. Marketing information such as Plans, Contact list & media files;
4. Network credentials such as passwords & Certificates;
5. Proprietary process descriptions and operating methodologies;
6. Personnel records and private employee data;
7. Legal data concerning ongoing or planned litigation or contract actions;
8. Others such as user’s private documents stored on company computers; and strategic data, including the communications of managerial and executive staff.

Employees Stealing Data / Confidential Information

Employee data theft, also known as insider data theft, occurs when a current or former employee of a company steals sensitive or confidential data for personal gain or to harm the organization. This can include customer information, financial data, trade secrets, or other proprietary information.

Employee data theft can have serious consequences for an organization, including financial losses, reputational damage, and legal liability. It can also lead to data breaches, which can result in the loss of personal information of customers, employees, and other stakeholders.

There are several steps that organizations can take to prevent employee data theft:

1. Implementing strict data access controls: Limit the number of employees who have access to sensitive data and monitor their activity to detect any suspicious behavior.
2. Conducting background checks: Before hiring new employees, conduct thorough background checks to identify any past criminal activity or other red flags.
3. Implementing data encryption: Encrypt sensitive data to protect it from unauthorized access or theft.
4. Regular security audits: Regularly audit the organization’s data security systems and policies to detect vulnerabilities and ensure compliance with relevant laws and regulations.
5. Employee awareness and training: Regularly train employees on data security policies and procedures, and make them aware of the consequences of data theft.
6. Detection and response: Organizations should have a plan in place to detect data theft and respond quickly to minimize the damage.

It’s important for organizations to have a clear and comprehensive data security policy in place, and to enforce it consistently, to prevent employee data theft. Additionally, if an employee is found to have stolen data, organizations should take appropriate disciplinary action and report the incident to the relevant authorities, where necessary.

What is the legal remedy for a data theft?

In India, the first technology legislation came into being in the year 2000, which is the ‘Information Technology Act.’ The Act did not provide for sufficient protection or solutions in data theft/unauthorized copying of data scenarios in those days, as the compensation bracket was limited, only in the year 2008 the amended Information Technology Act came into force with one of the crucial amendments as far as Section 43 and Section 43A, the compensation awarded under the section is concerned, the compensation limit was removed. Now, a new bill is drafted by parliament in 2018 named ‘Personal Data Protection Bill, ’ which is a copy of ‘General Data Protection Regulation’ by EU, which gives rights and remedies to Data Subjects ( any person whose personal data is being collected, held or processed).

Legal Remedies under the Information Technology Act, 2000:

Section 43 – Penalty and Compensation for damage to the computer, computer system, etc.

Now the Complainant can approach the Adjudicating officer (Who is an IT Secretary of each state) appointed under Section 46 of the Information Technology Act, 2000 (As amended in the year 2008). The respective Adjudicating officer is competent to handle the claim up to Rs. 5 Crore and if the claim amount is exceeding Rs. 5 Crore the Complainant will have to approach the Competent Court. The Adjudicating Officer is the quickest remedy available to the Complainant, as according to Information Technology Act, the Adjudicating Officer has to pass the final order within the period of 6 months from the date of filing of the Complaint.

Section 43A – Compensation for failure to protect data.

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Explanation, For the purposes of this section,

1. body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
2. reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such contract or any act, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
3. Sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Legal Remedies under Personal Data Protection Bill:

Section 69 – Penalties.

When a data fiduciary i.e., any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data, fails to follow provisions and violates processing of personal data, sensitive personal data, personal data of children, security safeguards, transfers personal data outside India, it will be liable to a penalty which may extend up to fifteen crore rupees or four percent of its total worldwide turnover of the preceding financial year, whichever is higher.

Section 70 – Penalty for failure to comply with data principal requests Chapter VI.

When any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter VI of this Act, such data fiduciary shall be liable to a penalty of five thousand rupees for each day during which such default continues, subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.

Section 75 Compensation.

Any data principal who has suffered harm as a result of any violation of any provision under this Act, or rules prescribed or regulations specified hereunder, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor, as the case may be, under this section a complaint instituted in such form and manner as may be prescribed before an Adjudicating Officer.

Recent Data Breaches in India:

SpiceJet Data Leak:

SpiceJet’s database was easily accessible using easily guessable password combinations. The personal data of passengers including names, phone numbers, email addresses, and dates of birth, was stored in an unencrypted database backup file. Additionally, information related to SpiceJet flights was also easily accessible for anyone who knew where to look, the security researchers added. The leaked data also includes personal details of government officials.

Link:

https://inc42.com/buzz/spicejet-data-breach-exposes-data-of-1-2-mn-passengers/

WhatsApp Hack:

A bug in WhatsApp, which left over 1.5 Bn users across the world vulnerable to spyware attack using WhatsApp’s calling function. The loophole allowed a hacker to inject spyware into the target phone thus putting all information on the device at risk of theft and misuse.

Link:

https://inc42.com/buzz/whatsapp-voice-call-vulnerability/

Aadhaar Data Leak:

In Feb 2019, over 6.7 million Aadhaar Card details were leaked by Indian Oil Company, Indane which they were using for LPG purpose.

Link:

https://inc42.com/buzz/aadhaar-data-of-6-7-mn-lpg-brand-indane-users-leaked-reveals-french-cybersecurity-expert/

Justdial Data Leak:

There was a loophole in API which exposed the reviewers’ database which had reviewer’s names, mobile numbers, and locations. All these data were publicly available on the internet, which revealed over 100 million users’ data.

Link:

https://inc42.com/buzz/justdial-database-leak-reviewer-data/

Facebook Data Leak:

Facebook-Cambridge Analytica data breach affected 335 people in India by an app installation of ‘This Is Your Digital Life Quiz,’ another 562,120 people were potentially affected as friends of those users.

Link:

https://inc42.com/buzz/facebook-cambridge-analytica-fiasco-cost-5-62-lakh-indians-data-facebook/