Is Your Data Safe?
From the very beginning, humans are after precious things. First, it was valuable metals, stones then came oil, and now everyone is after data. Data for every person is different for some; it is photos or videos; for some, it is lines of codes that they use to develop programs. Data is the most significant wealth of an individual, or a body corporate as the use of data has also increased the chances of a data breach, i.e., data theft or data leak. A data breach is an incident where perpetrators steal intentionally sensitive data of individual or body corporate without the knowledge or authorization. As digitalization increased, data is now stored on the cloud servers and more susceptible to attacks. Sometimes as employees invest their time in developing programs, they feel they have ownership over the program and steal the data. Recently, 1.3 million Indian debit and credit card information were listed for sale on the dark web is the most common data breach which happens. A CIO survey by Forcepoint and Frost & Sullivan found that 69% of Indian organizations are at risk of a data breach, with 44% of them encountering a data breach before and 25% failing to perform any breach assessment in the last 12 months. We at Netlawgic certainly think that Indian organizations, specifically SMEs, are not giving Information Security much deserved importance, more so in today’s digitized world.
How does data theft happen?
System Vulnerabilities – Often, operating system or antivirus programs are outdated which allows perpetrators to exploit the vulnerabilities of applications by inserting malware into programs and steal data.
Weak Passwords – User passwords are usually birthdates, names which perpetrators can easily guess and enter the system or account to access the data or sensitive information, Experts advise to have a complex password and to change the password from time to time.
Compromised Downloads – When an individual download programs or data from compromised websites which are infected by viruses like worm or malware, which gives unauthorized access to perpetrators and allow them to encrypt all the data gradually and ask for ransom to decrypt the information if not paid the ransom in time; then they delete all the files.
Phishing – Some perpetrators act as reputable companies and send emails to individuals to tempt them to reveal personal information, such as passwords, credit card information, UPI pin, etc.
What are the modes of data theft / Unauthorised Copying of Data?
USB (Pen) Drives & Memory cards – These are the easiest and cheapest options according to these perpetrators and are very easy to hide. The memory cards are now coming in 512GB and 1 TB variants, so it has become even more comfortable to move a large amount of data in a small package. There is a considerable amount of rising in source code theft cases, wherein employees are copying the code and starting their own company or selling the system to a competitor company for a handsome amount.
Portable Hard Drives – These are also one of the popular mediums for the apparent reasons ‘Large Storage Capacity’.
CD/DVD – This medium was popular back in the days but has become obsolete now.
Email – Some perpetrators use email to transfer files from their official email account to personal email account or home computer; they move the data slowly over the period to avoid detection by the IT department. The perpetrators in this scenario are generally disgruntled employees. They send these emails to their private accounts on the pretext of working from home.
Web-Mail – Some web-mail interfaces provide larger file attachments than conventional email service providers.
Printing – Some perpetrators would not leave any electronic evidence behind; they take prints of the critical documents and steal the same in hard copies.
Remote Access – This can either be used in the way of unauthorized access (Hacking) or authorized access, as some organization provides remote access to their employees so that they can work from their home computers, this also makes tracing the data difficult for law enforcement agencies or private investigators.
Cloud – We have seen more than sufficient cases to date where the famous cloud services were hacked like a piece of cake. The hacked data is either held for ransom or sold on the dark web. Even though sufficient care is taken to see that these kinds of illegal hacking activities are blocked. Unfortunately, today’s hackers are not two but ten steps ahead.
What kind of data can be stolen/copied?
Everything stored in an organization or by an individual has some potential value; some of the targets for data thieves are as follows:
- Customer contact & Financial data such as credit card and debit card information;
- Source codes & Algorithms;
- Marketing information such as Plans, Contact list & media files;
- Network credentials such as passwords & Certificates;
- Proprietary process descriptions and operating methodologies;
- Personnel records and private employee data;
- Legal data concerning ongoing or planned litigation or contract actions;
- Others such as user’s private documents stored on company computers; and strategic data, including the communications of managerial and executive staff.
What is the legal remedy for a data theft?
In India, the first technology legislation came into being in the year 2000, which is the ‘Information Technology Act.’ The Act did not provide for sufficient protection or solutions in data theft/unauthorized copying of data scenarios in those days, as the compensation bracket was limited, only in the year 2008 the amended Information Technology Act came into force with one of the crucial amendments as far as Section 43 and Section 43A, the compensation awarded under the section is concerned, the compensation limit was removed. Now, a new bill is drafted by parliament in 2018 named ‘Personal Data Protection Bill, ’ which is a copy of ‘General Data Protection Regulation’ by EU, which gives rights and remedies to Data Subjects ( any person whose personal data is being collected, held or processed).
Legal Remedies under the Information Technology Act, 2000:
Section 43 – Penalty and Compensation for damage to the computer, computer system, etc.
Now the Complainant can approach the Adjudicating officer (Who is an IT Secretary of each state) appointed under Section 46 of the Information Technology Act, 2000 (As amended in the year 2008). The respective Adjudicating officer is competent to handle the claim up to Rs. 5 Crore and if the claim amount is exceeding Rs. 5 Crore the Complainant will have to approach the Competent Court. The Adjudicating Officer is the quickest remedy available to the Complainant, as according to Information Technology Act, the Adjudicating Officer has to pass the final order within the period of 6 months from the date of filing of the Complaint.
Section 43A – Compensation for failure to protect data.
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Explanation, For the purposes of this section,
- body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
- reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such contract or any act, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
- Sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
Legal Remedies under Personal Data Protection Bill:
Section 69 – Penalties.
When a data fiduciary i.e., any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data, fails to follow provisions and violates processing of personal data, sensitive personal data, personal data of children, security safeguards, transfers personal data outside India, it will be liable to a penalty which may extend up to fifteen crore rupees or four percent of its total worldwide turnover of the preceding financial year, whichever is higher.
Section 70 – Penalty for failure to comply with data principal requests Chapter VI.
When any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter VI of this Act, such data fiduciary shall be liable to a penalty of five thousand rupees for each day during which such default continues, subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
Section 75 Compensation.
Any data principal who has suffered harm as a result of any violation of any provision under this Act, or rules prescribed or regulations specified hereunder, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor, as the case may be, under this section a complaint instituted in such form and manner as may be prescribed before an Adjudicating Officer.
Recent Data Breaches in India:
SpiceJet Data Leak:
SpiceJet’s database was easily accessible using easily guessable password combinations. The personal data of passengers including names, phone numbers, email addresses, and dates of birth, was stored in an unencrypted database backup file. Additionally, information related to SpiceJet flights was also easily accessible for anyone who knew where to look, the security researchers added. The leaked data also includes personal details of government officials.
A bug in WhatsApp, which left over 1.5 Bn users across the world vulnerable to spyware attack using WhatsApp’s calling function. The loophole allowed a hacker to inject spyware into the target phone thus putting all information on the device at risk of theft and misuse.
Aadhaar Data Leak:
In Feb 2019, over 6.7 million Aadhaar Card details were leaked by Indian Oil Company, Indane which they were using for LPG purpose.
Justdial Data Leak:
There was a loophole in API which exposed the reviewers’ database which had reviewer’s names, mobile numbers, and locations. All these data were publicly available on the internet, which revealed over 100 million users’ data.
Facebook Data Leak:
Facebook-Cambridge Analytica data breach affected 335 people in India by an app installation of ‘This Is Your Digital Life Quiz,’ another 562,120 people were potentially affected as friends of those users.