Recently, security researcher Rajashekhar Rajaharia felt he was doing his duty when on two occasions – on February 26 and March 4 – he attempted to draw the attention of Mobikwik’s leadership to what many see as the biggest data breach in Indian history. As a provider of a mobile phone payment system and digital wallet, Mobikwik processes millions of customer data, including sensitive personal information. All Rajashekhar wanted was for the company to notify users of the violation and the steps taken to remedy the situation. He was responding to a hacker who claimed to have access to over 100 million cardholder details from Mobikwik customer data. What he was not prepared for was the company’s counterattack which called him a “media freak” and also said it would take legal action against him.
Soon there was independent corroboration from anonymous hacker Elliot Alderson and Alon Gal, the technical director of Israeli security firm Hudson Rock, who argued that this was the biggest breach of KYC in India. It should have been a bummer for anyone using a Tor browser to surf the dark web that a huge collection of data, including the KYC of 3.5 million people, the phone numbers and bank details of nearly 100 million people and in some cases even geolocation data has been put up for sale for a paltry 1.5 bitcoins or around 62 lakh rupees. As more users discovered their data was available online, the company maintained its cheeky stance that no data had been released from its database and its CEO took to Twitter to talk about the “made in India” brand of the company that had nothing to do with data security. He went on to say that the data leak could have happened from other platforms.
The cause of concern is also that the anonymous hacker who posted this data claims that KYC details were used to successfully secure micro-loans. In the absence of the company responsible for the data breach and informing all users whose data has been published, there may be an avalanche of such micro-loans which can be contracted with the burden falling on the user who may not even be aware of the violation.
This poses the relevant question of the presence of the regulatory ecosystem and of intervention in such a scenario where security experts claim a major breach while the entity in question denies it. Reports from the Reserve Bank of India asking Mobikwik to investigate the case have arrived, but it is far too late. CERT-In, the national hub for responding to IT security incidents as they arise, should have immediately authorized an independent audit to trace the breach and take corrective action. Mobikwik is in the process of releasing its initial public offering and it is understandable that they wish to avoid the negative publicity. So even the Department of Commercial Affairs should have investigated the reported leak and suspended the IPO if the data breaches were real.
Over the past year, the need for swift passage of the Personal Data Protection Bill 2019 (PDPB) has been raised on several occasions to deal with similar situations. This is because under all of the current laws, a data breach cannot be effectively punished if the business chooses to ignore it and the government is unwilling to hold the bull by the horn. It is true that Section 43 (A) of the Information Technology Amendment Act 2008 and the relevant rules notified in April 2011 can be used to hold the business to account such as “whenever a business processes data or sensitive personal information and neglects to maintain reasonable security to protect such data or information, thereby causing undue loss or gain to any person, then such legal person will be liable to pay damages to the or to those affected. Likewise, the company may be held to be negligent under article 72 of the same IT law. Even the IPC offers some protection to the user under “Breach of Trust”. But all of these processes are arduous enough, and the easiest way to get started would be to make the breach public and ask the people involved to change their bank details.
It is time for the government to immediately realize the growing value of data security and take action to protect user data by passing the PDPB at the earliest. Also, let the messenger not be shot. Cybersecurity is a cooperative exercise and the institutions charged with this task must not only do their job, but also be seen to do their job. A little transparency will go a long way.
The writer, defense and cybersecurity analyst, is the former national director of General Dynamics.